[CRITICAL] kill_others + process_filters can kill arbitrary system processes #21

New issue

Open

opened 2026-05-11 10:52:01 +00:00 by thabeta · 1 comment

thabeta commented

2026-05-11 10:52:01 +00:00

Owner

Problem

The kill_others feature combined with process_filters allows a service to declare arbitrary process name patterns and kill all matching processes on the system.

A misconfigured or malicious service with process_filters = ["python"] or process_filters = ["node"] would kill ALL Python/Node.js processes on the system, including unrelated services.

Impact

Denial of service: killing critical system processes
Privilege escalation boundary: a user service could kill system-class processes
No confirmation or safety check before killing

Files

crates/my_init_server/src/supervisor/spawning.rs -- kill_others + process_filters handling in spawn_service
crates/my_init_server/src/process_info.rs -- find_processes_by_name

Suggested Fix

Require explicit confirmation for kill_others (interactive prompt or admin flag)
Scope kill_others to only services owned by the same user
Add a whitelist/blacklist for protected process names
Log and rate-limit process killing

## Problem The `kill_others` feature combined with `process_filters` allows a service to declare arbitrary process name patterns and kill all matching processes on the system. A misconfigured or malicious service with `process_filters = ["python"]` or `process_filters = ["node"]` would kill ALL Python/Node.js processes on the system, including unrelated services. ## Impact - Denial of service: killing critical system processes - Privilege escalation boundary: a user service could kill system-class processes - No confirmation or safety check before killing ## Files - `crates/my_init_server/src/supervisor/spawning.rs` -- `kill_others` + `process_filters` handling in `spawn_service` - `crates/my_init_server/src/process_info.rs` -- `find_processes_by_name` ## Suggested Fix - Require explicit confirmation for `kill_others` (interactive prompt or admin flag) - Scope `kill_others` to only services owned by the same user - Add a whitelist/blacklist for protected process names - Log and rate-limit process killing

thabeta added the

critical

security

labels

2026-05-11 10:52:59 +00:00

salmaelsoly commented

2026-05-11 13:31:12 +00:00

Member

Classification: valid-bug — kill_others + process_filters can kill arbitrary system processes without scope restriction or safety checks.

Confirmed by code inspection at crates/my_init_server/src/supervisor/spawning.rs:142-177. When kill_others is enabled with process_filters, the code calls find_processes_by_name for each filter and sends SIGKILL to all matching processes system-wide. There is no scope restriction, no user-owned-process check, no logging whitelist, and no confirmation prompt. A service with process_filters = ["python"] or ["node"] would kill every Python/Node.js process on the system, including unrelated critical services.

> Classification: valid-bug — kill_others + process_filters can kill arbitrary system processes without scope restriction or safety checks. Confirmed by code inspection at crates/my_init_server/src/supervisor/spawning.rs:142-177. When kill_others is enabled with process_filters, the code calls find_processes_by_name for each filter and sends SIGKILL to all matching processes system-wide. There is no scope restriction, no user-owned-process check, no logging whitelist, and no confirmation prompt. A service with process_filters = ["python"] or ["node"] would kill every Python/Node.js process on the system, including unrelated critical services.