| I see that reasoning very often but I don't agree with it (note that I'm not saying a local exploit is great). But first I'll start with a question: why don't you (and everybody else for that matter), run everything as root? Why don't we all search our entire disks for every single executable and then execute chmod 777 on all of them? I mean: that'd make for a good XKCD... If the idea is that it's game over anyway if there's a local exploit, we may as well just run everything as root right? Why even bother with sudo at all? > Out of curiosity: What sensitive things does the root account protect on your workstation? I'm one of those person using several user accounts on my own system. For example my professional account is separated from my personal account (and I do use both simultaneously). One of my browsers (I run several browsers) is in a throwaway user account: clean slate at every launch. Why not? And a local exploit compromising one user account requires a second exploit to access what's in the other users accounts. > The only thing root access would give somebody on my machine is to uninstall some random packages or corrupt my install. Root access could allow the attacker to install a persistent backdoor which would be very hard to detect. Installing a persistent backdoor that can evade detection is incredibly harder to do if all you have is a local exploit. I take a system on which I have more chances to detect that an exploit happened --even if the exploit did already happen-- any day over one with less chances to detect that an exploit happened. And even if, for me, a local exploit means it may be too late for some stuff (although having U2F/webauthn and soon passkeys in many important places should limit damages), having a non-compromised root may allow me to detect a local exploit and share my findings with the community. Which has a lot of value too. |