Is Steam for Mac effectively running as superuser?

When you download the client it does not weigh too much, and seems to do very little. Inside the app bundle there is a script that—upon inspecting the environment and deciding you're not running Linux—launches the client, which downloads the full support environment and resources. For this to happen (all of this is saved inside the bundle, the app bundle gets updated in this process) Steam wants Universal Access for Assistive Devices, and your password.

Cacheable resources, preferences (like keyboard shortcuts), support files (like game hardware requirement lookup tables) live inside the bundle, not in ~/Library/{Application Support|Preferences|Cache}; games' data get dumped into ~/Documents/Steam Content.

I'd describe myself as a bit OCD (which really says a lot), and I wouldn't care that much still. I'd go comb this hairy mess and find out where stuff is, when and if I need to, even if it's in an unfamiliar place; that does not actually tick me off. Well, a little bit.

What makes me concerned is the way Steam needs both Access for Assistive Devices, and my password to run for the first time. The former gives it the ability to talk very intimately with running apps and the underlying system; while the latter (admin account) could very well give it and it's publishers unrestricted access to all my software, hardware and data. With publishers like Rockstar using scene NOCD cracks to publish their games on Steam, I'm not so sure I'm OK with this.

I'd like more games made available for the MacOS X and all the pretty machines that run it, but this arrangement does not seem very Mac-like to me. It looks like Valve is going around system security measures and best practices, foregoing sandboxing, code signing, relatively sane structured organization; all the things that would appeal to someone who's no fun at parties at all, and will die alone, in his long dead mother's basement… wait. Right. Anyway.

Can we get some input on Steam for Mac security at the end-user machine, from someone who understands how Accessibility API works, whether games distributed on Steam can read and write outside the user homefolder, collect data from other running apps, or similar?

godDLL

Posted 2010-05-13T16:36:49.163

Reputation: 302

I seriously doubt Steam would seek this post out and reply to it here. You'd probably get better luck on the Steam forums... Edit: here, i posted it there for you. http://forums.steampowered.com/forums/showpost.php?p=14988314&postcount=1

– RCIX – 2010-05-17T03:53:34.020

I did not think they could answer that in a way that isn't costing them some PR points, so I asked here, where people that know stuff happen to hang. – godDLL – 2010-06-29T13:23:21.547

Answers

Answer from the devs themselves (Robert Barris, in this case):

Activating Universal Access is not a requirement for Steam or for games on Steam. However if you want to use the Steam Overlay then it is needed - UA provides the mechanism by which the Overlay can intercept keys from the game even when the game is front most.

No, Steam games are not running as superuser :/

RCIX

Posted 2010-05-13T16:36:49.163

Reputation: 5 415

There are thousands of installers that need your admin password to write to protected areas of the filesystem, including Apple's. If you want to know what user a process is running as then use ps or Activity Monitor.

Enabling assistive device access is a common workaround used when a non-scriptable application needs to be automated through a series of simulated clicks on windows and menus. It is far more likely that the people working on this product simply know nothing about the Mac platform than it is that they're interested in telling your mom where your naughty folders are.

http://www.macosxautomation.com/applescript/uiscripting/index.html

Hasaan Chop

Posted 2010-05-13T16:36:49.163

Reputation: 4 224

Apple's I trust, Steam's publishers – I do not. As far as I can see all the files Steam has on my system are 755 me:me. And you didn't answer my question. – godDLL – 2010-05-13T19:43:57.927

4Actually, he told you exactly how to answer your own question: "If you want to know what user a process is running as then use ps or Activity Monitor" – EvanK – 2010-05-13T19:49:44.610

I did not want to know that, I already did. And my question is above – "Can we get some input on Steam for Mac security at the end-user machine, from someone who understands how Accessibility API works, whether games distributed on Steam can read and write outside the user homefolder, collect data from other running apps, or similar?". – godDLL – 2010-05-13T19:59:51.160

8The Accessibility API is used by many products for many reasons. None of them are security threats. Your only problem is that you have been exposed to a very small amount of information you have no hope of understanding, and that you think Steam developers are going to respond to you on a public forum. – Hasaan Chop – 2010-05-13T20:26:59.150

1Your last comment might have been intended as an insult, I can't tell. English is not my native language.
If it was so intended, then that's shameful.

Thanks for answering my question, finally, even if in a way that one might find extremely unpleasant. I'm unfamiliar with the Accessibility API, and that's really all you've got on me, please don't make assumptions based on so little data.

EDIT: If you post your answer as an answer, I'll accept it. – godDLL – 2010-05-13T20:54:17.963

1It's not really my fault if your six paragraph question contained so little data. Or would you contend that your "mother's basement" rant was evidence of superior intelligence? – Hasaan Chop – 2010-05-13T22:36:19.827

1Now I'm certain that you're trying to insult me, while I was trying to come off less anal and technical than I usually am, and not take myself too seriously. Try that once in a while.

My "rant" should have given you a vague idea for why I was concerned (vaguely concerned), and the question is exactly one sentence at the end. And none of it was aimed personally at you, or your lifestyle, even if you might have read it that way – I wasn't teasing.

I'll accept your answer. – godDLL – 2010-05-14T00:52:22.303

Steam is not running as root. It simply needs your credentials to install.The fact that is uses Assistive Devices isn't a big deal. Many apps do.In fact, most games do.

I have steam running and I'm not worried about this.

But if you are, then get something like Little Snitch. It monitors ALL in and out going traffic from your mac. It's a must app for every mac user. Some use it to replace the firewall. And you tell it what apps/processes too allow access to the net. That way, if Steam runs a process that you aren't familiar with you will be notified. And you can decide to grant (or not) access.

You should be running Little Snitch anyway. But frankly, I think you are worried too much about Steam.

Stephen Cox

Posted 2010-05-13T16:36:49.163

Reputation: 141

My partner installed Steam on one of our Macs, and her own account isn't in the 'admin' group - /var/log/secure.log shows she only had to use an admin account for Finder to copy it to "Applications".

Access for Assistive Devices was already enabled on that Mac. A process listing confirms that nothing running for Steam is running as root (but it is running as your user. It can do anything you can, just like almost any other bit of software on a standard Unix, including reading or erasing all your files.)

If you're very paranoid, install and run your games in a separate user account.

jrg

Posted 2010-05-13T16:36:49.163

Reputation: 745