Applications inadvertently running as root

We've now seen a few reports of a phenomenon where normal applications inexplicably run with root privileges under Leopard (Mac OS X 10.5.x). This is a potentially serious security concern, as apps running with such priviliges can manipulate data beyond their intended bounds and potentially wreak system havoc. It's indicative of an inadvertent invocation of the setuid command.

As described by one reader:

"I'm running Leopard 10.5.1 on my iMac 2.8GHZ Core 2 Duo Extreme machine. Even though the root user has not been enabled, Activity Monitor indicates that many of my routine applications, including iTunes and Safari, are running with root as the user. I did an archive and install to correct this problem, but after several days it has recurred. Have any other Macfixit members had this problem? InputManagers will not work for these applications when they are running with root as the user."

Generally, only core system processes (such as java, update, coreaduiod, etc.) should run as root. All ordinary, Finder-launched applications (Preview, Safari, iPhoto, the Finder itself, etc.), should generally run under the activating user.

As mentioned by the above reader, you can check which applications are running with which privileges using Activity Monitor, located in /Applications/Utilities. Click the User tab to organize by this field. If you find normal applications running as root, please drop us a line, indicating the use of any special system modifications (including Input Managers or "haxies").

Feedback? Late-breakers@macfixit.com.

Resources