5.1.5 Ensure Appropriate Permissions Are Enabled for System Wide Applications

Information

Applications in the System Applications Directory (/Applications) should be world-executable since that is their reason to be on the system. They should not be world-writable and allow any process or user to alter them for other processes or users to then execute modified versions.

Unauthorized modifications of applications could lead to the execution of malicious code.

Solution

Run the following command to change the permissions for each application that does not meet the requirements:

% /usr/bin/sudo IFS=$'
'
for apps in $( /usr/bin/find /System/Volumes/Data/Applications -iname "*.app" -type d -perm -2 | grep -v Xcode.app ); do
/bin/chmod -R o-w "$apps"
done

Note: Global changes should not be performed where mission-critical applications are part of the improperly permissioned applications.

Impact:

Applications changed will no longer be world-writable. Depending on the environment, there will be different risk tolerances on each non-conforming application. Global changes should not be performed where mission-critical applications are misconfigured.

See Also

https://workbench.cisecurity.org/benchmarks/17466