Every unsandboxed app has Full Disk Access if Terminal does

When System Integrity Protection (SIP) is enabled, as it is by default, macOS restricts apps from accessing certain files and folders such as ~/Desktop, ~/Documents, and ~/Downloads. If I run a simple ls command in Terminal,

If I open the Privacy tab of the Security & Privacy pane of System Preferences (let's not talk about Ventura System Settings) and select Files and Folders in the list, I can see which apps have special access.

Access to this folder is simply denied without asking permission. TCC stands for Transparency, Consent, and Control, the name of the macOS system that determines which apps have access to restricted files and folders. The TCC user database is stored inside the ~/Library/Application Support/com.apple.TCC folder, so obviously this folder needs to be restricted too, otherwise unauthorized apps could edit the database and give themselves special permissions.

You can still grant an app access to all restricted files and folders, even the ones without specific user permissions, by enabling Full Disk Access for the app. The user interface for this is also in the Privacy tab of System Preferences.

Leave a Comment