Solaris 11.4 SRU90: Limiting signaling to all

TL;DR

kill -9 -1 can send a lot of processes to their untimely demise and can blow up your system. Since Solaris 11.4 SRU 90, this is blocked as the new process flag PRIV_PROC_SENDTOALL allowing sending a signal to all is not set by default. If you really need to send a signal to all processes, you can explicitly enable it with ppriv.

Accidents will happen …

Ever send a -9 to all your processes by accident? Or any other signal like HUP? If not, you can try this out by running kill -9 -1 on a system. Please don’t do this on a production system — use a test system or a VM on your laptop instead.

-1  means all in this regard in POSIX. If a user is sufficiently privileged, all really means all processes on the system. If you do it in the global zone, all includes the non-global zones.

I once built a script myself that had a tendency to blow up my system. Afterward, I did two things: First, I moved the kill into a function that explicitly checks for -1 and refuses to execute it. And then, once I could finally test without the system constantly blowing up on me, I fixed a really stupid mistake on my part. Through a series of steps and a singular circumstance — which I didn’t see through at first — a -1 ended up in the variable for the process ID. When the kill was executed with that process ID somewhat later, I saw similar consequences as I will show you next.

When sending a -1kill, you will see something like that.

jmoekamp@testbed:~$ su - root
Password: 
Oracle Solaris 11.4.88.207.1                  Assembled December 2025
You have new mail.
root@testbed:~# kill -9 -1Connection to 192.168.3.242 closed by remote host.

Okay, how can you protect yourself against this? Since Solaris 11.4 SRU 90, the ability to use -1 (or more precisely, the ability to send a signal to all processes) is dependent on whether a certain process flag has been set for the process attempting to send a signal to all. A process can only send it if it has the PRIV_PROC_SENDTOALL flag set. Otherwise it will result in an “Insufficient privileges”.

jmoekamp@testbed:~$ su - root
Password: 
Oracle Solaris 11.4.90.214.1                  Assembled February 2026
You have new mail.
root@testbed:~# kill -9 -1
-bash: kill: (-1) - Insufficient privileges
root@testbed:~#

This attempt can then also be found, for example, in /var/adm/messages:

Feb 26 05:43:01.635 testbed genunix: [ID 596902 kern.warning] WARNING: Blocked kill(-1, 9) from /usr/bin/bash pid 978

So even as root, you can no longer accidentally kill more processes with a stray  -1 than you actually intended. However, there are situations where that is exactly what you want. By setting the aforementioned process flag, you can force the pre-SRU90 behaviour. I’ll use a rather brutal example to illustrate this.

root@testbed:~# ppriv -f +E $$ 
root@testbed:~# kill -9 -1 Connection to 192.168.3.242 closed by remote host.
Connection to 192.168.3.242 closed.

I would like to quote from the ppriv man page on this:

E    PRIV_PROC_SENDTOALL

Warning:  Setting  this  flag  allows  a  process   with   the proc owner privilege to send signals to all processes. This is considered  unsafe  since it can result in an unclean termination of critical application and system state. No process  has this flag set by default.

However, there is a second protection. If you set the maintenance mode type “noreboot” via sysadm, the attempt to kill all processes will still result in an “Insufficient Privileges”, even if you had set the E flag.

root@testbed:~# sysadm maintain -s -t noreboot
root@testbed:~# ppriv -f +E $$
root@testbed:~# kill -9 -1 
-bash: kill: (-1) - Insufficient privileges

As soon as you remove the noreboot the kill will work.

root@testbed:~# sysadm maintain -e -t noreboot
root@testbed:~# ppriv -f +E $$
root@testbed:~# kill -9 -1 Connection to 192.168.3.242 closed by remote host.
Connection to 192.168.3.242 closed.

This isn’t a security feature. As Darren Moffat said in a Fediverse comment, it’s a safeguard. Imagine it like a safety toggle switch cover, that you have to flip first before you can toggle the switch ¹