5.1.6 Ensure No World Writable Folders Exist in the System Folder

Information

Software sometimes insists on being installed in the /System/Volumes/Data/System Directory and has inappropriate world-writable permissions.

Macs with writable files in System should be investigated forensically. A file with open writable permissions is a sign of at best a rogue application. It could also be a sign of a computer compromise and a persistent presence on the system.

Folders in /System/Volumes/Data/System should not be world-writable. The audit check excludes the downloadDir and locks folders that are part of Apple's default user template.

Solution

Terminal Method:

Run the following command to set permissions so that folders are not world-writable in the /System folder:

$ /usr/bin/sudo IFS=$'
'
for sysPermissions in $( /usr/bin/find /System/Volumes/Data/System -type d -perm -2 | /usr/bin/grep -vE "downloadDir|locks" ); do
/bin/chmod -R o-w "$sysPermissions"
done

Impact:

Changing file permissions could disrupt the use of applications that rely on files in the System Folder with vulnerable permissions.

See Also

https://workbench.cisecurity.org/benchmarks/15551

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: d88a9e7073edcf63730cfddaccfe84e1b80541bc041563b385434c52f9758c32