MacOS: does SIP block all access to /Var folders like QuickLook Cache? What about Full disk access apps?

[kofman13]

Hi All, i recently was looking into the security and vulnerability of the MacOS Quicklook cache after finding out that MacOS has a cache of all images you quicklook, which worried me. Then i tried to look at my own Quicklook cache folder which was empty, and then upon researching that i saw that i cannot access the actual cache because i have SIP turned on and SIP blocks all access to the crucial system folders including /var (where the quicklook caches are stored), blocked even from me the user (unless i turn SIP off).
Is it safe to assume that means that any malware or malicious app would also not be able to view these folders that are sandboxed by SIP?
What about apps that are granted Full Disk Access? I have quite a few of those. Can they access the sandboxed that are blocked by SIP? I would assume not since Full Disk Acess should be the same access as me the admin, who cant even access those protected folders. But if someone knows the answer to this as well, please chime in.
All in all, are these folders 100% safe since they are protected by SIP? (i guess the only one left with access would be apple themselves, but that's a whole other can of worms topic).
P.S. if Quicklook cache is blocked by SIP, would commands like "qlmanage -r cache" to clear cache still work? I've read somewhere that it sitll works (although no way for me to see if it worked since SIP blocks the cache files and i wouldnt be able to compare if the file size went down to zero after the clear command)

[Eigenvektor]

19 minutes ago, kofman13 said:

blocked even from me the user (unless i turn SIP off).

As it must be. Any malware that makes it onto the system would run with your user permissions by default, so it can do anything you can do.

 

Quote

I would assume not since Full Disk Acess should be the same access as me the admin

Except you are not an administrator by default, for security reasons. Go onto the terminal and do a "sudo su", enter your password, then try accessing the protected folders again. So it depends on whether these apps run with admin privileges or are otherwise granted access by the OS.

 

19 minutes ago, kofman13 said:

i guess the only one left with access would be apple themselves, but that's a whole other can of worms topic

The operating system has access to them, and in turn any program it grants access to it. The operating system may be made by Apple, but it isn't Apple.

[kofman13]

8 hours ago, Eigenvektor said:

As it must be. Any malware that makes it onto the system would run with your user permissions by default, so it can do anything you can do.

 

Except you are not an administrator by default, for security reasons. Go onto the terminal and do a "sudo su", enter your password, then try accessing the protected folders again. So it depends on whether these apps run with admin privileges or are otherwise granted access by the OS.

 

The operating system has access to them, and in turn any program it grants access to it. The operating system may be made by Apple, but it isn't Apple.

so in short, if i can't view the contents of a folder, than malware wouldn't either?

on a side note, If i were to disable SIP, view a certain folder, delete a file, then enable it again, would anything malicious happen to my system in that time frame? like if malware was already on my Mac and SIP was protecting it until i disabled it for 3 minutes and now it infects? or do malware and malicious things only try to modify SIP protected system files "upon install" rather than constantly at any moment?

[Eigenvektor]

6 hours ago, kofman13 said:

so in short, if i can't view the contents of a folder, than malware wouldn't either?

Running with user permissions is simply another layer of defense. But there is no such thing as absolute security.

 

If malware is able to exploit a security vulnerability in a more privileged process, it might be able to do things your user account can't. But as a general rule of thumb, having fewer privileges will make it harder for malware to do damage.

 

Quote

on a side note, If i were to disable SIP, view a certain folder, delete a file, then enable it again, would anything malicious happen to my system in that time frame?

like if malware was already on my Mac and SIP was protecting it until i disabled it for 3 minutes and now it infects? or do malware and malicious things only try to modify SIP protected system files "upon install" rather than constantly at any moment?

There's no real answer to that, since it depends on the particular malware and how sophisticated it is.

 

If there's malware on your system already, basically all bets are off. It's absolutely possible it would notice SIP being disabled immediately. Whether you disable SIP for a minute or an hour is more or less irrelevant, if malware is able to notice it would likely exploit the system faster than it takes you to perform the click to turn it back on.