Security implications of user owned directory in /Applications

macos security applications permission

I was checking the content of /Applications and I saw that some directory are owned by root and some are owned by myUser.

Eg:

$ cd /Applications
$ ls -l
$ drwxr-xr-x   3 myUser  admin   96 Sep  1 11:30 myApp
$ drwxr-xr-x   3 root  wheel   96 Sep  1 11:30 myOtherApp

Are they any security implications of having an user owned directory in /Applications?

Maybe I am wrong but if the directory is not root owned, then any script can just change its content and swap the binary for example. Same for any directory in /myUser/Applications. Or does macOS have an integrity protection for that?


On macOS, root doesn’t play much role as any user that is an administrator functions with the same power. When you type any admin user and that admin password in a permission dialog, that makes any user (even a non-admin user) root.

Some apps have a script or framework to change ownership to root, others don’t change it (like when you copy an app from Downloads or a disk image)

The information you show makes no difference security wise. This is just permissions on a folder and package that anyone can read and execute. Other mechanisms check for known bad software and validate that parts of the application have not been tampered with.


You can test this yourself quite easily:

Choose an app that has myUser / admin owner and group, and try modifying it. Then do the same for one that is root/wheel.

The first can be modified (by myUser) without authorization. The latter requires authorization.

So theoretically, a malicious script running as a process of the same admin user could modify or delete such apps at will.

@bmike is right that such modified apps may be prevented by the OS. However, as another test, I just modified some bytes of the binary file on an app, and MacOS did not prevent its launch. (The app crashed, mind, but MacOS still tried to launch it!)

As for apps in myUser/Applications: those files are inside the user's domain, and so there is the expectation that the user (and any user processes) should be able to write to them.

Related

Problem with firmware password
How to replace or delete entire iCloud photos library?
What the hold-over arrows on icons in Finder do?
rEFInd installation won't boot due to T2 security, despite T2 security being disabled
Quickly swap Apple Magic Keyboard between computers? [duplicate]
FaceTime: unable to answer incoming calls on macOS
Libreoffice Vanilla on Mac
macOS Photos Library size is 700MB but I don't see any picture running Photos?
Stop my phone from messaging "Good morning" and "Good afternoon" and "You have a new memory" to me
Downgrade iOS 12.4.8 to iOS 11.3.1 - iPhone 6 (Without SHSH blobs) [duplicate]
2017 Macbook pro 13 inch 3 monitors help
Client torrent for broadcatching