This week I posted updates to my two utilities designed to tackle incorrect permissions in the Home folder. Although explained in their documentation, to work properly both have to be added to the Full Disk Access list in Privacy when you’re running Mojave, or they will generate spurious results and may bamboozle you.

This article explains a little more about what happens.

Mojave limits apps from accessing some files on the basis that they contain private data. By adding an app to the Full Disk Access list, you agree to giving it full access to those protected files. When PermissionScanner checks the permissions of files in your Home folder, it needs that access. If you don’t provide it, Mojave’s privacy system prevents it from checking the permissions of at least four property list files, which are then reported as not having read and write access, even though they appear to when viewed in Terminal.

With Full Disk Access disabled, the following files should be reported as not being writable when you scan Home Preferences:
/Users/[username]/Library/Preferences/com.apple.mail-shared.plist
/Users/[username]/Library/Preferences/com.apple.homed.notbackedup.plist
/Users/[username]/Library/Preferences/com.apple.universalaccess.plist
/Users/[username]/Library/Preferences/com.apple.homed.plist
where [username] is your short username.

Run the same scan with Full Disk Access granted, and none of those should be listed as not being writable.

If you instead use the Home All Prefs scan, those same files will be listed as not being writable if you haven’t granted Full Disk Access.

If you think that you have granted Full Disk Access, but those files are shown as not being writable, check your Privacy settings again. Also note that if you add an app to the Full Disk Access list while it is running, it isn’t actually granted that enhanced access until after the app has been quit, so you need to quit PermissionScanner, check Privacy again, then open PermissionScanner.

Running other scan options will list a lot of items in folders such as /Users/[username]/Library/Containers and /Users/[username]/Library/Group Containers. Unless you know what you’re doing, I recommend that you avoid running those scans. If you do run them, don’t panic and assume the worst, as the chances are thousands of your permissions are actually set perfectly correctly.

I hope this helps users, and will incorporate this as a clearer warning in the documentation for the next releases of those two apps.