Hi All, i recently was looking into the security and vulnerability of the MacOS Quicklook cache after finding out that MacOS has a cache of all images you quicklook, which worried me. Then i tried to look at my own Quicklook cache folder which was empty, and then upon researching that i saw that i cannot access the actual cache because i have SIP turned on and SIP blocks all access to the crucial system folders including /var (where the quicklook caches are stored), blocked even from me the user (unless i turn SIP off).
Is it safe to assume that means that any malware or malicious app would also not be able to view these folders that are sandboxed by SIP?
What about apps that are granted Full Disk Access? I have quite a few of those. Can they access the sandboxed that are blocked by SIP? I would assume not since Full Disk Acess should be the same access as me the admin, who cant even access those protected folders. But if someone knows the answer to this as well, please chime in.
All in all, are these folders 100% safe since they are protected by SIP? (i guess the only one left with access would be apple themselves, but that's a whole other can of worms topic).
P.S. if Quicklook cache is blocked by SIP, would commands like "qlmanage -r cache" to clear cache still work? I've read somewhere that it sitll works (although no way for me to see if it worked since SIP blocks the cache files and i wouldnt be able to compare if the file size went down to zero after the clear command)
Is it safe to assume that means that any malware or malicious app would also not be able to view these folders that are sandboxed by SIP?
What about apps that are granted Full Disk Access? I have quite a few of those. Can they access the sandboxed that are blocked by SIP? I would assume not since Full Disk Acess should be the same access as me the admin, who cant even access those protected folders. But if someone knows the answer to this as well, please chime in.
All in all, are these folders 100% safe since they are protected by SIP? (i guess the only one left with access would be apple themselves, but that's a whole other can of worms topic).
P.S. if Quicklook cache is blocked by SIP, would commands like "qlmanage -r cache" to clear cache still work? I've read somewhere that it sitll works (although no way for me to see if it worked since SIP blocks the cache files and i wouldnt be able to compare if the file size went down to zero after the clear command)
