We are looking to prevent users from accessing a directory we create from our non-sandboxed app via:
FileManager.createDirectory(atPath:withIntermediateDirectories:attributes:) //where path is ~/Library/Application Support/our.bundle.identifier/ourdir
To do this, we have set no permissions for this directory, thus ensuring they cannot open it via:
fileManager.setAttributes([.posixPermissions: 00000], ofItemAtPath: path) //no permissions
However, users can simply right click it, choose Get Info, and change it from No Access for everyone to Read & Write to gain access.
But this isn't the case for other directories I have found. For example, Desktop located at /Users/Guest/ (or any other user account you’re not logged into) also has No Access for everyone, and when you try to change it you’ll get an error:
The operation can’t be completed because you don’t have the necessary permission.
Another difference I see is the Locked checkbox is disabled for that directory, but enabled for the directory our app created.
This is exactly what we need for a directory created by our app. How can we ensure the user does not have permission to change permissions of this directory?
The reason certain folders can't be access is because they're owned by a different user, and the logged-in user doesn't have permissions. But neither will your app given it's running under the user's account. Admin users (which the default macOS account is one) can always change folder ownership and permissions so you're not going to prevent a folder from ever being accessed.