[svlug] (forw) [DNG] Linux system can be brought down by sending SIGILL to Systemd

Michael Eager eager at eagerm.com
Sat May 25 09:47:26 PDT 2019

On 5/25/19 1:18 AM, Rick Moen wrote:
> Quoting Michael Eager (eager at eagerm.com):
>> What happened with the idea that if you are running as root you can
>> break the system?
> Nothing.  I don't want to seem confrontational about this, Michael, but
> it seems like you missed the point, which is:
>> If you don't want it broken, don't do stupid shit.
> Running /bin/kill as the root user, one should not have to worry about
> the system falling over just because the kill command processed to the
> PID1 process a request to produce a non-existent signal.  As the
> original poster mentioned in passing, /bin/kill operates via the kill(2)
> syscall, which is _specifically_ documented as deliberately producing no
> effect if the referenced signal doesn't exist.  You may recall that he
> quoted from the kill(2) man page:
>              The  only  signals  that  can be sent to process ID 1, the
>              process, are those for which init has explicitly installed sig‐
>              nal handlers.  This is done to assure the system is not brought
>              down accidentally.
> Please notice the concluding sentence, there.  What occurs if you fumble
> typing and mistakenly ask the systemd init process to issue an 'ILL'
> signal (instead of a 'KILL' one) _should never happen_.  Irrespective of
> whether you're the UID0 user.

Agreed, except the OP mentioned writing a script to explictly send ILL 
to proc 1.  Not an accident.

It looks like the problem is in kill(2) not in init or systemd.  It is 
kill(2) man page that says that it will only send "good" signals to proc 
1.  It isn't the init process that seems broken.

> Expecting tools not to blow up contrary to their documentation and take
> down the entire system is not 'doing stupid shit'.  You shouldn't have
> to fear shrapnel just because you ran 'cd' as root, and it shouldn't
> happen just because you ran /bin/kill, either.

Which tool are you talking about?  It's not init which should handle all 
signals, it's kill which should be filtering them, as its man page sort 
of says.

> Yes, the root privilege is deliberately dangerous.  But it shouldn't
> be accidentally fatal to the system just from carrying out a routine
> operation that's documented to _not_ do that.

So, someone should file a bug against kill(2).  Right?

Michael Eager    eager at eagerm.com
1960 Park Blvd., Palo Alto, CA 94306

More information about the svlug mailing list