[rwg]

At Pwn4Fun, Google delivered a very impressive exploit against Apple Safari launching Calculator as root on Mac OS X.

I'll bet it was ocspd they exploited. The CRL handling code in libsecurity is awful, and ocspd runs as root without a sandbox profile.

[bfish510]

How can you tell if a process runs as root or is run within a sandbox?

[rwg]

"ps" will show the effective uid ocspd is running as:

    % ps aux|grep ocspd
    root              534   0.0  0.0  2442712   2036   ??  Ss    3:53PM   0:00.04 /usr/sbin/ocspd

I don't know how to show the sandbox a running process is contained in, but it's easy enough to show that launchd runs ocspd directly, without sandbox-exec:

    % grep -A3 ProgramArguments /System/Library/LaunchDaemons/com.apple.ocspd.plist
            <key>ProgramArguments</key>
            <array>
                    <string>/usr/sbin/ocspd</string>
            </array>

It's possible for a process to programmatically place itself in a sandbox (see /usr/include/sandbox.h), but a quick look at the source to ocspd and a quick disassembly of what actually ships with OS X 10.9.2 shows ocspd does not do that.

[yukichan]

On a mac Activity Monitor will show you that, also there are also things like top, ps aux and pgrep. These would work:

pgrep -lf -U root | grep processname

or:

ps aux | grep root | grep processname