I'm not experienced at reverse engineering at all. I hope this basic question is suitable for this site. Basically I want to know where the value DARWIN_USER_CACHE_DIR is read from. I'm trying to trace the system calls like this:
sudo bash dtruss /usr/bin/getconf DARWIN_USER_CACHE_DIR -h -f -a
So, it would follow any forked processes too. But, I cannot see any calls that would indicate where it originates from.
Note: I don't know much about OSX, and wouldn't have answered if there had been another answer after 24 hours.
According to Apple, getconf uses sysconf and confstr to find these configuration values, with confstr handling DARWIN_USER_CACHE_DIR. The confstr library function might well hard-code these values - if you check the glibc source, you see the glibc version of confstr hardcodes CS_PATH as well.
However, the confstr manual page also states it can return error code EIO if there is an "I/O error communicating with opendirectoryd(8)". Which means these values might be opendirectory attributes as well. Check your dtruss output if there are any socket calls; if there aren't, the attributes are probably hard-coded in libc; else, these paths are probably hidden in the opendirectory configuration somewhere.
