Applications inexplicably running as root (cont.): Checking which apps use setuid, more
Curious.
We continue to investigate a phenomenon where normal applications inexplicably run with root privileges. As noted yesterday, this is a potentially serious security concern, as apps running with such privileges can manipulate data beyond their intended bounds and potentially wreak system havoc. It's indicative of an inadvertent invocation of the setuid command -- which can be invoked to allow applications root privileges on a case-by-case basis.
Also as mentioned yesterday, you can check which applications are running with which privileges using Activity Monitor, located in /Applications/Utilities. Click the User tab to organize by this field. If you find normal applications running as root.
Fortunately, under Mac OS X 10.5 (Leopard) there's also an easy method for determining which applications have assigned themselves root priveleges via the setuid command. Launch the Terminal (located in /Applications/Utilities) and enter the command:
- sudo /usr/bin/setuids.d
then press return (thanks Dominic Dunlop).
Generally, only core system processes (such as java, update, coreaduiod, etc.) should run as root. All ordinary, Finder-launched applications (Preview, Safari, iPhoto, the Finder itself, etc.), should usually run under the activating user. If you see any suspect listings after invoking this command, you can use Activity Monitor to quit the processes.
A few more reports on this issue:
One MacFixIt reader reports a situation where the application Color launched under the root account, and actually saved files to the root user's Library directory:
"Oddly enough, I had the same thing happen yesterday with Color, but v 1.01 under 10.4.10. The app crashed, and on relaunch it ignored the current user prefs, instead opening with the home directory hierarchy, which Color and Final Touch users will recognize in its arcane glory, defaulting to the Documents folder of the root user, despite not being enabled in Netinfo. All saved grades etc ended up in Users/root/Library/Application Support/Color. The user prior to this event was an admin user, which may have something to do with what on the face of it looks like an escalation of privileges, at least within the app. Very odd indeed."
Another reader reports that he found the Finder running with root privileges:
"Coincidentally I noticed this morning as I cleared my overnight screensaver that in the Finder window sidebar my 'Places' listed 'root' next to the 'home' icon, and the list of other folders I have there wasn't there any more. Fearing the worst, when I moved the mouse to investigate, the Finder 'blinked' and my home directory and other folders reappeared as usual. I then saw your article on root applications and decided to investigate - there are a number of system processes listed as running as 'root' (such as Mozybackup, aspects of Retrospect, my UPS client) - but also Finder."
One reader questionably posits that DiskWarrior is responsible for applications incorreclty running with root priveleges:
"I made the mistake of running DiskWarrior on my 10.5 disk while booted from a from a 10.4 disk and had the same problem of various programs running as root afterwards. I suspect that repairing permissions from DW was the primary cause."
Feedback? Late-breakers@macfixit.com.
Resources