Re: [PLUG] root "pkill: killing pid * failed: Operation not permitted"

brent saner via plug on 8 Jun 2024 09:55:59 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] root "pkill: killing pid * failed: Operation not permitted"

From: brent saner via plug <plug@lists.phillylinux.org>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] root "pkill: killing pid * failed: Operation not permitted"
Date: Sat, 8 Jun 2024 12:55:41 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717865755; x=1718470555; darn=lists.phillylinux.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=Aywd5Ozk4d2MGlRT12FvTE3/xjHStspQdqFrLxlO6gk=; b=a1r5PtiW7Kc2yJ2su6Wl05w1j4jjuLsqC2lRbRC/tuKRD9zSEkIqeRDZOPaKTgmfbZ uZj1qalif0/7WspdIm/GU4Ym5wn0ICDLTJ6dqV2dOAliSaUqBtq/Ehd0jii1TMU9ANm4 fE6lfHjPx1UV3f5trn7t7KdyBnTwh6ZiXGkGmTUMrClFc0s94b3PC1cr67jn5TcljTSW yrH9tvbboPpXF2EzXSk1xWQZ6wIz60Dfptg59i/qqQeRzazoCQTMdLRUNDckO7QZJyyz PjXaPPs/QXXJ9yJOzPnRduJGH3yPaZ1orLGtiFZ1W8YZ5g6JuIceDDjkRT2B8qT2ZgjH ostA==
Reply-to: brent saner <brent.saner@gmail.com>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Sat, Jun 8, 2024, 07:53 Michael Lazin via plug <plug@lists.phillylinux.org> wrote:

I don‘t know the specifics of how Crowdstrike security on Linux works because I have only used it on Windows or Mac but on Mac it has full disk access which is greater than root, it allows execution as system.

root is root is root on Linux. There's no user with more privileges than root.

Likewise for root on macOS, to my recollection.

It may not be killable as root because it uses a configuration like apparmor or selinux, both of these systems can exceed the power of root.

Nope. Root can bypass/change/disable these, thus they do not "exceed the power of root". They simply interpret/intercept system calls; they're an entirely different model (MAC, RBAC) from normal *NIX/POSIX permissions (DAC, which root inherently overrides).

As JP says in the OP, SELinux is disabled.

JP, I'd first try what Steve suggested- a kill -9 or pkill -9 (SIGKILL instead of SIGTERM).

If that doesn't work, ps auxf and grep for the process, and check the process state. It may be zombie'd (Z), which in some cases (notably, it spawned from PID 1) won't clear without rebooting the machine.

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] root "pkill: killing pid * failed: Operation notpermitted"
  - From: "Alan D. Salewski via plug" <plug@lists.phillylinux.org>

References:
- [PLUG] root "pkill: killing pid * failed: Operation not permitted"
  - From: JP Vossen via plug <plug@lists.phillylinux.org>
- Re: [PLUG] root "pkill: killing pid * failed: Operation not permitted"
  - From: Steve Litt via plug <plug@lists.phillylinux.org>
- Re: [PLUG] root "pkill: killing pid * failed: Operation not permitted"
  - From: Michael Lazin via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] root "pkill: killing pid * failed: Operation not permitted"
Next by Date: Re: [PLUG] root "pkill: killing pid * failed: Operation notpermitted"
Previous by thread: Re: [PLUG] root "pkill: killing pid * failed: Operation not permitted"
Next by thread: Re: [PLUG] root "pkill: killing pid * failed: Operation notpermitted"
Index(es):
- Date
- Thread