[MacTUG] Applications inadvertently running as root

Thu Nov 29 10:39:39 EST 2007

MacFixit, http://www.macfixit.com/article.php?story=20071128091806935

Applications inadvertently running as root

We've now seen a few reports of a phenomenon where normal applications inexplicably run with root privileges under Leopard (Mac OS X 10.5.x). This is a potentially serious security concern, as apps running with such priviliges can manipulate data beyond their intended bounds and potentially wreak system havoc. It's indicative of an inadvertent invocation of the setuid command.

As described by one reader:

    "I'm running Leopard 10.5.1 on my iMac 2.8GHZ Core 2 Duo Extreme machine. Even though the root user has not been enabled, Activity Monitor indicates that many of my routine applications, including iTunes and Safari, are running with root as the user. I did an archive and install to correct this problem, but after several days it has recurred. Have any other Macfixit members had this problem? InputManagers will not work for these applications when they are running with root as the user."

Generally, only core system processes (such as java, update, coreaduiod, etc.) should run as root. All ordinary, Finder-launched applications (Preview, Safari, iPhoto, the Finder itself, etc.), should generally run under the activating user.

As mentioned by the above reader, you can check which applications are running with which privileges using Activity Monitor, located in /Applications/Utilities. Click the User tab to organize by this field. If you find normal applications running as root, please drop us a line, indicating the use of any special system modifications (including Input Managers or "haxies").

Applications inadvertently running as root
Authored by: unknownjazzer on Thursday, November 29 2007 @ 06:23 AM PST

Can I just ask everyone if they have growl installed? I also noticed an instance of Safari running as root (and immediately killed it). I scoured the logs on boot and noticed a few odd things going on in and around loginwindow and osascript. I did a google and remembered seeing this linked to growl some how, so i switched it off and I've not seen safari running as root in activity window again, so far!