Provided by: manpages-posix-dev_2013a-1_all bug

PROLOG

       This  manual  page  is part of the POSIX Programmer's Manual.  The Linux implementation of
       this interface may differ (consult the corresponding Linux  manual  page  for  details  of
       Linux behavior), or the interface may not be implemented on Linux.

NAME

       kill — send a signal to a process or a group of processes

SYNOPSIS

       #include <signal.h>

       int kill(pid_t pid, int sig);

DESCRIPTION

       The  kill() function shall send a signal to a process or a group of processes specified by
       pid.  The signal to be sent is specified by sig and is either one from the list  given  in
       <signal.h>  or 0. If sig is 0 (the null signal), error checking is performed but no signal
       is actually sent. The null signal can be used to check the validity of pid.

       For a process to have permission to send a signal to a process designated by  pid,  unless
       the  sending  process  has  appropriate  privileges,  the real or effective user ID of the
       sending process shall match the real or saved set-user-ID of the receiving process.

       If pid is greater than 0, sig shall be sent to the process whose process ID  is  equal  to
       pid.

       If  pid  is  0, sig shall be sent to all processes (excluding an unspecified set of system
       processes) whose process group ID is equal to the process group ID of the sender, and  for
       which the process has permission to send a signal.

       If  pid  is −1, sig shall be sent to all processes (excluding an unspecified set of system
       processes) for which the process has permission to send that signal.

       If pid is negative, but not  −1,  sig  shall  be  sent  to  all  processes  (excluding  an
       unspecified set of system processes) whose process group ID is equal to the absolute value
       of pid, and for which the process has permission to send a signal.

       If the value of pid causes sig to be generated for the sending process, and if sig is  not
       blocked for the calling thread and if no other thread has sig unblocked or is waiting in a
       sigwait() function for sig, either sig or at least one pending unblocked signal  shall  be
       delivered to the sending thread before kill() returns.

       The  user  ID tests described above shall not be applied when sending SIGCONT to a process
       that is a member of the same session as the sending process.

       An  implementation  that  provides  extended  security   controls   may   impose   further
       implementation-defined  restrictions on the sending of signals, including the null signal.
       In particular, the system may deny the existence of some or all of the processes specified
       by pid.

       The  kill() function is successful if the process has permission to send sig to any of the
       processes specified by pid.  If kill() fails, no signal shall be sent.

RETURN VALUE

       Upon successful completion, 0 shall be returned. Otherwise, −1 shall be returned and errno
       set to indicate the error.

ERRORS

       The kill() function shall fail if:

       EINVAL The value of the sig argument is an invalid or unsupported signal number.

       EPERM  The process does not have permission to send the signal to any receiving process.

       ESRCH  No process or process group can be found corresponding to that specified by pid.

       The following sections are informative.

EXAMPLES

       None.

APPLICATION USAGE

       None.

RATIONALE

       The  semantics for permission checking for kill() differed between System V and most other
       implementations, such as Version 7 or 4.3 BSD. The semantics chosen  for  this  volume  of
       POSIX.1‐2008  agree  with  System  V.   Specifically, a set-user-ID process cannot protect
       itself against signals (or at least not against SIGKILL) unless it changes its  real  user
       ID.   This  choice allows the user who starts an application to send it signals even if it
       changes its effective user ID.  The other semantics give more power to an application that
       wants to protect itself from the user who ran it.

       Some  implementations provide semantic extensions to the kill() function when the absolute
       value of pid is greater than some maximum, or otherwise special,  value.  Negative  values
       are  a  flag  to  kill().   Since  most  implementations return [ESRCH] in this case, this
       behavior  is  not  included  in  this  volume  of  POSIX.1‐2008,  although  a   conforming
       implementation could provide such an extension.

       The  unspecified  processes  to which a signal cannot be sent may include the scheduler or
       init.

       There was initially strong sentiment to specify that, if pid specifies that  a  signal  be
       sent to the calling process and that signal is not blocked, that signal would be delivered
       before kill() returns. This would permit a process to call kill() and be  guaranteed  that
       the  call never return. However, historical implementations that provide only the signal()
       function make only the weaker guarantee in this volume of POSIX.1‐2008, because they  only
       deliver  one  signal  each  time  a  process  enters  the  kernel.   Modifications to such
       implementations to support the sigaction() function generally require entry to the  kernel
       following  return  from  a  signal-catching function, in order to restore the signal mask.
       Such modifications have the effect of satisfying the stronger requirement, at  least  when
       sigaction()  is  used,  but not necessarily when signal() is used. The standard developers
       considered making the stronger requirement except when signal() is  used,  but  felt  this
       would  be  unnecessarily  complex.  Implementors  are  encouraged  to  meet  the  stronger
       requirement whenever possible. In practice, the weaker requirement is the same, except  in
       the  rare  case  when  two  signals arrive during a very short window. This reasoning also
       applies to a similar requirement for sigprocmask().

       In 4.2 BSD, the SIGCONT signal can be sent to any descendant process regardless of user-ID
       security  checks.   This allows a job control shell to continue a job even if processes in
       the job have altered their user IDs (as in the su command). In keeping with  the  addition
       of  the  concept  of  sessions,  similar functionality is provided by allowing the SIGCONT
       signal to be sent to any process in the  same  session  regardless  of  user  ID  security
       checks.  This  is  less  restrictive than BSD in the sense that ancestor processes (in the
       same session) can now be the recipient.  It is more restrictive than BSD in the sense that
       descendant  processes  that  form  new  sessions  are now subject to the user ID checks. A
       similar relaxation of security is not necessary for the other job  control  signals  since
       those  signals  are  typically  sent  by  the  terminal  driver  in recognition of special
       characters being typed; the terminal driver bypasses all security checks.

       In secure implementations, a process may be restricted from sending a signal to a  process
       having a different security label.  In order to prevent the existence or nonexistence of a
       process from being used as a covert channel, such processes should appear  nonexistent  to
       the  sender;  that is, [ESRCH] should be returned, rather than [EPERM], if pid refers only
       to such processes.

       Existing implementations vary on the result of a kill() with pid  indicating  an  inactive
       process  (a  terminated process that has not been waited for by its parent). Some indicate
       success on such a call (subject to permission checking), while others  give  an  error  of
       [ESRCH].   Since  the definition of process lifetime in this volume of POSIX.1‐2008 covers
       inactive processes, the [ESRCH] error as described  is  inappropriate  in  this  case.  In
       particular,  this  means  that  an  application  cannot  have  a  parent process check for
       termination of a particular child with kill().   (Usually  this  is  done  with  the  null
       signal; this can be done reliably with waitpid().)

       There  is some belief that the name kill() is misleading, since the function is not always
       intended to cause process termination. However, the  name  is  common  to  all  historical
       implementations,  and  any change would be in conflict with the goal of minimal changes to
       existing application code.

FUTURE DIRECTIONS

       None.

SEE ALSO

       getpid(), raise(), setsid(), sigaction(), sigqueue(), wait()

       The Base Definitions volume of POSIX.1‐2008, <signal.h>, <sys_types.h>

COPYRIGHT

       Portions of this text are reprinted and  reproduced  in  electronic  form  from  IEEE  Std
       1003.1,  2013  Edition,  Standard  for Information Technology -- Portable Operating System
       Interface (POSIX), The Open Group Base Specifications Issue 7, Copyright (C) 2013  by  the
       Institute  of  Electrical  and  Electronics  Engineers,  Inc and The Open Group.  (This is
       POSIX.1-2008 with the  2013  Technical  Corrigendum  1  applied.)  In  the  event  of  any
       discrepancy  between  this  version and the original IEEE and The Open Group Standard, the
       original IEEE and The Open Group Standard is the referee document. The  original  Standard
       can be obtained online at http://www.unix.org/online.html .

       Any  typographical  or  formatting errors that appear in this page are most likely to have
       been introduced during the conversion of the source files to man page  format.  To  report
       such errors, see https://www.kernel.org/doc/man-pages/reporting_bugs.html .