MacOS – How to create a custom readable symlink out of a sandboxed container

librarymacospermissionsymlink

How do I create a readable symlink from within a ~/Library/Containers/.../Data/ app folder to a file outside?

It seems that due to the macOS sandboxing mechanism, this doesn't work out of the box. That is, I can create a symlink fine, but the app I use won't be allowed to read the symlinked file.

Notes:

My intent is to customize the setup of my own machine. I'm not an app developer.
Editing the file Container.plist within ~/Library/Containers/.../ might help. So far, I've not had success yet.
Personal use case: being able to open an app from two different user accounts on the same machine and share the same app-database.

Best Answer

Unlikely to be Possible

I suspect that if this were possible with a symlink, Apple would consider it a serious security flaw.

That said, see Why is the symlink I created inside an application container to allow for external storage not working? for possible solutions.

Sandboxed applications can only read the contents their containers, some global locations, and the locations explicitly granted to them by the user – via the Powerbox mechanism.

See Powerbox and File System Access Outside of Your Container:

Your sandboxed app can access file system locations outside of its container in the following three ways:

At the specific direction of the user

By using entitlements for specific file-system locations (described in > - Entitlements and System Resource Access)

When the file system location is in certain directories that are world readable

Given the list above, you may be able to extend the entitlements for the application to include your specific location and then resign the application.

Bypass the Problem

Alternatively, consider stripping the application of its sandboxing entitlement. You could try ad-hoc resigning the application and omit the entitlements entirely.

Related Solutions

MacOS – Securing Lion user account directories from admin access

Administrators don't have ready access to files in other users home directories. Browsing your files would require extraordinary (though admittedly not technically complex) measures and malicious intent.

image of "no access" folders in another user's Home Directory

image of "Permission denied" notification.

I'm betting that most Apple store repair techs are a little too busy, and a little too fond of their jobs, to waste a lot of time unlocking and browsing through personal files. There's an old mail server admin adage about being able to read everyone's mail—and not caring. As a consultant I'm "inside" client computers all the time—seeing as little as I possibly can—and I have to tell you, most people's stuff is pretty boring.

I do protect truly confidential data, financial information, CC info, personal photos, inside secure containers such as encrypted disk images, Password Wallet, etc. (In my case this is all in addition to the Filevault 2 protected startup disk.) Having protected the good stuff, I don't lose a lot of sleep about bored repair techs, or interlopers who gain access to my computer, viewing the rest. Your own practice must suit your own position of comfort on the security<>usability continuum, but with a little thought you can get there using the tools the system provides.

Mac – Could not create symlink for “/Users”

Do it as root, and use forward slashes:

$ ln -s /Users /home
$ ls -ld /Users /home
drwxr-xr-x  6 root  admin  204 Apr  8  2014 /Users
lrwxrwxr-x  1 root  wheel    6 Sep 17 15:49 /home -> /Users