1KILL(P)                    POSIX Programmer's Manual                   KILL(P)
2
3
4

NAME

6       kill - send a signal to a process or a group of processes
7

SYNOPSIS

9       #include <signal.h>
10
11       int kill(pid_t pid, int sig);
12
13

DESCRIPTION

15       The kill() function shall send a signal to a process or a group of pro‐
16       cesses specified by pid. The signal to be sent is specified by sig  and
17       is  either one from the list given in <signal.h> or 0. If sig is 0 (the
18       null signal), error checking is performed but  no  signal  is  actually
19       sent. The null signal can be used to check the validity of pid.
20
21       For  a  process to have permission to send a signal to a process desig‐
22       nated by pid, unless the sending process  has  appropriate  privileges,
23       the  real  or  effective user ID of the sending process shall match the
24       real or saved set-user-ID of the receiving process.
25
26       If pid is greater than 0, sig  shall  be  sent  to  the  process  whose
27       process ID is equal to pid.
28
29       If  pid is 0, sig shall be sent to all processes (excluding an unspeci‐
30       fied set of system processes) whose process group ID is  equal  to  the
31       process  group  ID of the sender, and for which the process has permis‐
32       sion to send a signal.
33
34       If pid is -1, sig shall be sent to all processes (excluding an unspeci‐
35       fied  set  of system processes) for which the process has permission to
36       send that signal.
37
38       If pid is negative, but not -1, sig shall  be  sent  to  all  processes
39       (excluding  an unspecified set of system processes) whose process group
40       ID is equal to the absolute value of pid, and for which the process has
41       permission to send a signal.
42
43       If the value of pid causes sig to be generated for the sending process,
44       and if sig is not blocked for the calling thread and if no other thread
45       has sig unblocked or is waiting in a sigwait() function for sig, either
46       sig or at least one pending unblocked signal shall be delivered to  the
47       sending thread before kill() returns.
48
49       The  user  ID  tests  described above shall not be applied when sending
50       SIGCONT to a process that is a member of the same session as the  send‐
51       ing process.
52
53       An  implementation  that provides extended security controls may impose
54       further implementation-defined restrictions on the sending of  signals,
55       including the null signal. In particular, the system may deny the exis‐
56       tence of some or all of the processes specified by pid.
57
58       The kill() function is successful if the process has permission to send
59       sig  to any of the processes specified by pid. If kill() fails, no sig‐
60       nal shall be sent.
61

RETURN VALUE

63       Upon successful completion, 0 shall be returned. Otherwise, -1 shall be
64       returned and errno set to indicate the error.
65

ERRORS

67       The kill() function shall fail if:
68
69       EINVAL The  value of the sig argument is an invalid or unsupported sig‐
70              nal number.
71
72       EPERM  The process does not have permission to send the signal  to  any
73              receiving process.
74
75       ESRCH  No  process  or process group can be found corresponding to that
76              specified by pid.
77
78
79       The following sections are informative.
80

EXAMPLES

82       None.
83

APPLICATION USAGE

85       None.
86

RATIONALE

88       The semantics for permission checking for kill() differed between  Sys‐
89       tem V and most other implementations, such as Version 7 or 4.3 BSD. The
90       semantics chosen for this volume  of  IEEE Std 1003.1-2001  agree  with
91       System  V.  Specifically,  a  set-user-ID process cannot protect itself
92       against signals (or at least not against SIGKILL) unless it changes its
93       real user ID.  This choice allows the user who starts an application to
94       send it signals even if it changes its effective  user  ID.  The  other
95       semantics  give  more  power  to  an  application that wants to protect
96       itself from the user who ran it.
97
98       Some implementations provide semantic extensions to the kill() function
99       when  the absolute value of pid is greater than some maximum, or other‐
100       wise special, value. Negative values are a flag to kill().  Since  most
101       implementations  return  [ESRCH]  in  this  case,  this behavior is not
102       included in this volume of IEEE Std 1003.1-2001, although a  conforming
103       implementation could provide such an extension.
104
105       The  implementation-defined  processes to which a signal cannot be sent
106       may include the scheduler or init.
107
108       There was initially strong sentiment to specify that, if pid  specifies
109       that  a  signal  be  sent to the calling process and that signal is not
110       blocked, that signal would be delivered  before  kill()  returns.  This
111       would  permit  a process to call kill() and be guaranteed that the call
112       never return. However, historical implementations that provide only the
113       signal()  function  make  only  the  weaker guarantee in this volume of
114       IEEE Std 1003.1-2001, because they only deliver one signal each time  a
115       process  enters  the  kernel.  Modifications to such implementations to
116       support the sigaction() function generally require entry to the  kernel
117       following  return  from a signal-catching function, in order to restore
118       the signal mask. Such modifications have the effect of  satisfying  the
119       stronger requirement, at least when sigaction() is used, but not neces‐
120       sarily when  signal()  is  used.  The  developers  of  this  volume  of
121       IEEE Std 1003.1-2001  considered making the stronger requirement except
122       when signal() is used, but felt this would  be  unnecessarily  complex.
123       Implementors  are  encouraged to meet the stronger requirement whenever
124       possible. In practice, the weaker requirement is the  same,  except  in
125       the  rare case when two signals arrive during a very short window. This
126       reasoning also applies to a similar requirement for sigprocmask().
127
128       In 4.2 BSD, the SIGCONT signal can be sent to  any  descendant  process
129       regardless  of user-ID security checks. This allows a job control shell
130       to continue a job even if processes in the job have altered their  user
131       IDs (as in the su command). In keeping with the addition of the concept
132       of sessions, similar functionality is provided by allowing the  SIGCONT
133       signal to be sent to any process in the same session regardless of user
134       ID security checks.  This is less restrictive than  BSD  in  the  sense
135       that ancestor processes (in the same session) can now be the recipient.
136       It is more restrictive than BSD in the sense that descendant  processes
137       that form new sessions are now subject to the user ID checks. A similar
138       relaxation of security is not necessary for the other job control  sig‐
139       nals  since  those signals are typically sent by the terminal driver in
140       recognition of special characters  being  typed;  the  terminal  driver
141       bypasses all security checks.
142
143       In  secure  implementations, a process may be restricted from sending a
144       signal to a process having a different security label. In order to pre‐
145       vent  the  existence  or nonexistence of a process from being used as a
146       covert channel, such processes should appear nonexistent to the sender;
147       that is, [ESRCH] should be returned, rather than [EPERM], if pid refers
148       only to such processes.
149
150       Existing implementations vary on the result of a kill() with pid  indi‐
151       cating  an  inactive  process  (a  terminated process that has not been
152       waited for by its parent). Some indicate success on such a  call  (sub‐
153       ject  to  permission  checking), while others give an error of [ESRCH].
154       Since  the  definition  of  process  lifetime   in   this   volume   of
155       IEEE Std 1003.1-2001  covers  inactive  processes, the [ESRCH] error as
156       described is inappropriate in this case. In particular, this means that
157       an  application cannot have a parent process check for termination of a
158       particular child with kill(). (Usually this is done with the null  sig‐
159       nal; this can be done reliably with waitpid().)
160
161       There  is  some  belief  that  the name kill() is misleading, since the
162       function is not always intended to cause process termination.  However,
163       the  name  is  common to all historical implementations, and any change
164       would be in conflict with the  goal  of  minimal  changes  to  existing
165       application code.
166

FUTURE DIRECTIONS

168       None.
169

SEE ALSO

171       getpid()  ,  raise()  ,  setsid() , sigaction() , sigqueue() , the Base
172       Definitions volume of IEEE Std 1003.1-2001, <signal.h>, <sys/types.h>
173
175       Portions of this text are reprinted and reproduced in  electronic  form
176       from IEEE Std 1003.1, 2003 Edition, Standard for Information Technology
177       -- Portable Operating System Interface (POSIX),  The  Open  Group  Base
178       Specifications  Issue  6,  Copyright  (C) 2001-2003 by the Institute of
179       Electrical and Electronics Engineers, Inc and The Open  Group.  In  the
180       event of any discrepancy between this version and the original IEEE and
181       The Open Group Standard, the original IEEE and The Open Group  Standard
182       is  the  referee document. The original Standard can be obtained online
183       at http://www.opengroup.org/unix/online.html .
184
185
186
187IEEE/The Open Group                  2003                              KILL(P)
Impressum