Why is the ps command issued by a user performed by root user on MacOS?

Question

I recently noticed that when I run a ps command in a term (Terminal, iTerm, ...) the command is run by the root user.

machine:~ vincent$ ps ux | grep ps
vincent  2846   0,2  0,0  4277992    848 s001  S+    2:10     0:00.00 grep ps
root     2845   0,2  0,0  4287948   1120 s001  R+    2:10     0:00.00 ps ux

This happens both when typing the command as an admin and as a regular user with no admin privilege, and this affects both Yosemite and High Sierra (so probably many other system versions).

Why is that?

Are there other commands affected by this behavior?

Answer 1

If you look at ps file permissions, you'll notice that the SUID bit is on (check out the 's' in the permission flags).

ls -ltr /bin/ps
-rwsr-xr-x  1 root  wheel  51280 Dec  1  2017 /bin/ps

this means that the process spawned from this file gets the permission from the file owner and not from his parent process (which can be the bash terminal from which you typed the command), and this user is root.

This is how sudo and many other system commands works.

Answer 2

I suspect this is done (via the setuid permissions bit) in order to allow __proc_info() (the syscall used by the <sys/libproc.h> functions) to access the other process's address spaces in order to read out e.g. the executable's path. (This is not stored in the kernel - it's actually read from the process's argv[0]; and yes this does mean it can be faked.)

You could always try to make a copy of the ps binary (or compile it from source), remove the setuid bit, run it as an unprivileged user, and see what breaks.