I just downloaded the iAntivirus app from the Mac App Store. I wanted it to scan my whole hard drive for viruses, so it presented me with an Open dialog box pointing at the root of the hard drive (so that the computer can get access outside of its sandbox). I clicked ok, and the app started.
What I found odd was that I was never presented with a login box. The program was given access to files in the System folder, Library folder, etc. that only I could edit by typing in an admin username and password. Is this a security issue with sandboxing or is that the way it's supposed to work?
Best Answer
The App can have read/write access to a location if it gets your permission using an entitlement as part of the App Sandbox, in other words this is how its suppose to work. The App is code-signed and trusted, its asking your permission, in theory all should be good.
As noted in the Mac Technology overview:
Specifically a developer can implement the following entitlement as noted here in Enabling App Sandbox, this is exactly what you described in your question, so this is probably the entitlement that the A/V program developer had utilized to obtain just read and write access.
Note that this is not the same as true administrator user, since the program would not be granted the execute privilege.