How to set ACL to a folder similar to Safari.app?
ls -lde /Applications/Safari.app/
drwxr-xr-x@ 3 root wheel 102 Jun 22 13:25 /Applications/Safari.app/
0: group:everyone deny delete
I have tried using :
sudo chmod -R +a "group:everyone deny delete" /Applications/xyz
ls -lde xyz
drwxr-xr-x+ 2 root admin 68 Oct 13 16:26 xyz
0: group:everyone deny delete
but I am still able to delete the folder xyz.
Any help will be appreciable.
Normally, one cannot deny sudo rmdir /Applications/xyz, nor sudo mv /Applications/Safari.app /Applications/Safari.app.bak. In normal conditions, root can do whatever it wants.
But the "System Integrity Protection" security layer protects Apple's applications when enabled (which is by default: see it with csrutil status. For developing reasons I was using csrutil enable -without fs). See this answer for this SIP explanation.
The rootless feature can be seen like this:
$ ls -le@d /Applications/Siri.app
drwxr-xr-x@ 3 root wheel 96 Oct 19 2017 /Applications/Siri.app
com.apple.rootless 0
0: group:everyone deny delete
So even the root can't remove it under SIP.
OTOH, this did not work under SIP:
$ sudo xattr -w com.apple.rootless "" /Applications/xyz
xattr: [Errno 1] Operation not permitted: '/Applications/xyz'
