"Are you so divine in administrating computers that you never make mistakes?"
My point was, yes I am. Other than one mistake almost a decade ago, I have never caused any accidental harm, during thousands and thousands of hours. Neither have I been the victim of anything malicious.
About a month ago on the Ubuntu board, tho, there was someone who discovered a sort of trojan horse in a dysfunctional screensaver they had downloaded somewhere. It was just a crude shell script; my analysis of it was that with root privileges it could use ping to forward the IP and wget to replace itself at any point. The site that it pinged was not the site where it was distributed and was also handing out World of Warcraft "phishing" kits, ie, for password cracking. I figure the dude was starting to experiment with Denial of Service attacks since he had amassed a bunch of machines that alerted him when online and could be used to simultaneously send requests anywhere, without doing any harm to the infected machine or the user knowing.
And low and behold, he really had amassed a bunch of machines. Within hours, there were a half dozen or so people just wandering the ubuntu board who noticed this and recognized the site where the "screensaver" was distributed. Seems they all had downloaded a screensaver or gtk theme, installed it, it did not work, so they forgot about it figuring it was just "defective". But they all also had variations of that script in the same location. There's no saying what else could have been installed, of course, so I wrote a simple script people could run in the background that would tell them if the same kind of thing was still going on. AFAIK there wasn't.
Now, some of those people were running root. I promise I would never fall for something so simple. While I can't deny a more complex version could get me, it seems to me based on the success of that enterprise that what the perpetrators were aiming at is a naive majority.
So I'm not saying non-privileged users and groups are a dumb feature. What I am saying is that Yarin probably does not have much to worry about.
In fact, the historical purpose of those things was for large installations with many terminals and different users. That is where and why they are successful. Nobody uses my computer but me.
I totally agree that most daemon processes should run as their own group, not root. I haven't hacked apache to run as root. I have an ftp server and when it's on, I certainly don't let it run as root. I run as root. If I were a sys admin somewhere, I wouldn't let everyone do that, either.
Yes, which is why web browsers should also run setuid/setgid like web servers. I NEED to browse the web while working on code. Even if I had an account, "mk27", that thereby protected the system, it still would not do anything to protect what is most important to me -- the code in my home directory, etc. But right now, that is a very difficult proposition, since you would have to log in as the group you want to run firefox safetly as, start X, keep your bookmarks etc in the firefox account, and then log in thru a terminal to access your code as some other users. Lot of awkwardness in this one -- if you like GUI file browsers, you wouldn't have access to the material you were trying to protect! Instead, we just say "oh, just have one user account for yourself and do everything with that", as if that were the ideal answer or that it is so much safer than running root.Consider a small bug in Firefox that allows code from web pages or images to be run.
The user/group permissions system is very useful and a good thing. But I take issue with this naive and simplistic assumption/assertion that the purpose of it is so you can run as "bob" and sudo when you need to, and that makes everything safe, and that setuid is pointless or wrong-headed, etc. That is just a caveat for newbies and an introduction to the principles involved.