Is it possible for an app sold thru the Mac App Store to access system folders?
I mean this: my app needs to read the contents of directories that are outside the sandbox area, lets say something like /Library/StartupItems and possibly delete a file there if the user wants.
Is it possible for a sandboxed app to access system folders and delete files there? If it cannot delete, can it at least read?
Do I have to enable sandbox if I want to sell on the Mac App Store?
I have tried a directory at random doing this:
NSString *path = @"/Library/StartupItems";
NSArray *dirFiles = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:path error:nil];
and I can get the directory listing. How can I be reading that if the app is marked as sandboxed? I don't get it.
No, OS X Applications sold through the Mac App Store cannot access resources in the way you've described. It's also required that all apps are sandboxed and codesigned with a valid Mac Developer Program Certificate.
As for being able to read /Library/StartupItems (which is deprecated) when your app is marked as "sandboxed"; it's not just a matter of having the option checked. You also have to ensure “Use Entitlements file” is selected and the application is properly codesigned. Once you've done that you can check to verify it's properly sandboxed in Terminal by using:
codesign -dvvv --entitlements :- Some.app/Contents/MacOS/Executable
In addition, there are certain directories where files that are "world readable" can be read:
/bin
/sbin
/usr/bin
/usr/lib
/usr/sbin
/usr/share
/System
In order to allow an OS X application to interact with the file system like your (earlier) example the application would need to use elevated privileges typically using Authorization Services — which App Sandbox disallows. Take a look at the section titled "Determine Whether Your App Is Suitable for Sandboxing", and it should answer any other concerns you might have.
Sandboxing is good in a lot of ways, but also very restrictive at the same time. If your app needs to do things that are not within the scope of what is allowable you can choose to not sell through the Mac App Store and not use Sandboxing. Some developers also create two different versions of their app (Mac App Store version and non-Mac App Store). If your app relies on going outside it's container for much of anything you'll definitely want to consider/weigh the pros and cons of Sandboxing.