AFAIK MacOS restricts newly installed apps from reading many folders without user permission. I know these permission are listed under System Preferences->Privacy->Files and Folders
But, is there a way I can verify these permissions are actually enforced? Like can I open a shell with the same permissions as a specific app? Kind of like su - nameofapp
?
I ask because I just installed the Amazon Kindle App from the MacOS App Store. I looked in ~/Library/Containers/com.amazon.Kindle/Data
and see this
❯ pwd
/Users/gregg/Library/Containers/com.amazon.Kindle/Data
❯ ls -l
total 0
lrwxr-xr-x 1 gregg staff 19 Jan 7 21:01 Desktop -> ../../../../Desktop
drwx------ 2 gregg staff 64 Jan 7 21:01 Documents
lrwxr-xr-x 1 gregg staff 21 Jan 7 21:01 Downloads -> ../../../../Downloads
drwx------ 33 gregg staff 1056 Jan 7 21:19 Library
lrwxr-xr-x 1 gregg staff 18 Jan 7 21:01 Movies -> ../../../../Movies
lrwxr-xr-x 1 gregg staff 17 Jan 7 21:01 Music -> ../../../../Music
lrwxr-xr-x 1 gregg staff 20 Jan 7 21:01 Pictures -> ../../../../Pictures
drwx------ 2 gregg staff 64 Jan 7 21:01 SystemData
drwx------ 2 gregg staff 64 Jan 7 21:01 tmp
Apparently the app has made links to a bunch of folders. How can I know if the app is actually prevented from accessing those folders via the links? I have not given the app any permissions and would just like to verify that these links are not away around the permissions.
Best Answer
macOS App Sandbox
~/Library/Containers
is created by macOS and not the application. Sandboxed applications are effectivelychroot
'd into their container. You can learn more in Apple's App Sandbox Design Guide documentation.Sandboxed applications have a
com.apple.security.app-sandbox
entitlement set totrue
.You can view the entitlements of an application using the command line tool
codesign
:There is no way to run a shell script using the rights of another application.
macOS's sandboxing approach requires that you trust Apple's implementation.