5.1.6 Ensure No World Writable Files Exist in the System Folder

Information

Software sometimes insists on being installed in the /System/Volumes/Data/System Directory and has inappropriate world-writable permissions.

Macs with writable files in System should be investigated forensically. A file with open writable permissions is a sign of at best a rogue application. It could also be a sign of a computer compromise and a persistent presence on the system.

Folders in /System/Volumes/Data/System should not be world-writable. The audit check excludes the "Drop Box" folder that is part of Apple's default user template.

Solution

Run the following command to set permissions so that folders are not world-writable in the /System folder:

% /usr/bin/sudo IFS=$'
'
for sysPermissions in $( /usr/bin/sudo /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -v "downloadDir" ); do
/bin/chmod -R o-w "$sysPermissions"
done

Impact:

Changing file permissions could disrupt the use of applications that rely on files in the System Folder with vulnerable permissions.

See Also

https://workbench.cisecurity.org/benchmarks/17467