Hacker News new | past | comments | ask | show | jobs | submit login

How can you tell if a process runs as root or is run within a sandbox?



"ps" will show the effective uid ocspd is running as:

    % ps aux|grep ocspd
    root              534   0.0  0.0  2442712   2036   ??  Ss    3:53PM   0:00.04 /usr/sbin/ocspd
I don't know how to show the sandbox a running process is contained in, but it's easy enough to show that launchd runs ocspd directly, without sandbox-exec:

    % grep -A3 ProgramArguments /System/Library/LaunchDaemons/com.apple.ocspd.plist
            <key>ProgramArguments</key>
            <array>
                    <string>/usr/sbin/ocspd</string>
            </array>
It's possible for a process to programmatically place itself in a sandbox (see /usr/include/sandbox.h), but a quick look at the source to ocspd and a quick disassembly of what actually ships with OS X 10.9.2 shows ocspd does not do that.


On a mac Activity Monitor will show you that, also there are also things like top, ps aux and pgrep. These would work:

pgrep -lf -U root | grep processname

or:

ps aux | grep root | grep processname




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: