The macOS core filesystem is split by design, using a Signed System Volume (SSV) architecture.The System volume is immutable (read-only), while specific Data volumes and paths are writable.
High-Level Overview
| Component | Writable |
|---|---|
| System volume | ❌ |
| Data volume | ✅ |
| Firmlinked paths | ✅ |
| Runtime storage | ✅ |
| Preboot / Recovery | ❌ |
| VM volume | ✅ |
Core Filesystem Architecture
macOS uses a volume group: a single startup disk composed of multiple APFS volumes.
| APFS Volume | Mount Point | Writable | Purpose |
|---|---|---|---|
| System | / | ❌ No | OS binaries, frameworks (sealed) |
| Data | /System/Volumes/Data | ✅ Yes | User data, apps, configs |
| Preboot | /System/Volumes/Preboot | ❌ No | Boot loaders |
| Recovery | /System/Volumes/Recovery | ❌ No | Recovery OS |
| Virtual Memory | /System/Volumes/VM /private/var/vm |
✅ Yes | Swap, sleep, and VM state – used automatically by macOS so don’t modify manually |
Access Control Mechanisms
Filesystem access is governed by multiple, layered mechanisms:
| Mechanism | Control |
|---|---|
| POSIX permissions | chmod, chown |
| Root / sudo | Privilege escalation |
| SIP | Kernel/system protection |
| TCC (FDA) | Privacy & user data access |
Firmlinks (Logical View)
Apple uses firmlinks so that Data volume content appears under /.
| APFS Volume | Mount Point | Writable |
|---|---|---|
| /Users | Data | ✅ |
| /Applications (3rd-party) | Data | ✅ |
| /Library | Data | ✅ |
| /private/var | Data | ✅ |
| /opt | Data | ✅ |
| /usr/local | Data | ✅ |
Writable Locations (Safe and Supported)
| Area | Mount Point |
|---|---|
| User Data | /Users/ /Users/Shared |
| Application & App Support1 |
/Applications (third-party apps only) /Library /Library/Application Support /Library/Preferences /Library/LaunchAgents /Library/LaunchDaemons |
| Developer / Tooling | /opt (Homebrew default on Apple Silicon) /usr/local |
| Daemon | /Library/LaunchDaemons |
| External Disk | /Volumes (mounted disks) |
You can test whether a path is writable: touch /path/testfile. To inspect mounted filesystems: mount | grep " / ".
Ephemeral Storage (Runtime)
These locations are writable but volatile.
| Component | Path | Writeable | Notes |
|---|---|---|---|
| Logs | Caches /private/var/log | ✅ | Rotated automatically |
| Databases | /private/var/db | ✅ | System state |
| Temp files | /private/var /private/tmp /tmp |
✅ | Cleared aggressively |
| Caches | /private/var/folders | ✅ | Volatile |
Writable ≠ Accessible
Some writable paths require explicit permission. Accessing another user’s home directory triggers Transparency, Consent, and Control (TCC) restrictions, it overrides root.
macOS privacy framework treats each user’s home directory as private. Cross-user access is blocked even if:
- You are root
- File permissions allow access
- SIP is disabled
| Path | Writeable | Requirements |
|---|---|---|
| /Library | ✅ | Full Disk Access |
| /Users/ |
✅ | Full Disk Access |
| External volumes | ✅ | User consent |
| Time Machine | ✅ | Backup entitlement |
Granting Full Disk Access (FDA)
GUI
- System Settings → Privacy & Security → Full Disk Access
- Add Terminal, your script, or an admin tool
- Restart the application
CLI (reset only)
tccutil reset All
It cannot grant Full Disk Access, approval requires user interaction or a MDM.
-
⚠️ /System/Applications is read-only ↩︎