[Chris_Newton]

There seem to be several reasonable ways to address this kind of situation without requiring universal access.

One would be analogous to an ACL arrangement rather than simple ownership. Steam applications could be installed with Steam also having permission to access their resources.

A second possibility would be to have the operating system provide dedicated services for installing and maintaining software. We’re already heading in that direction on some platforms anyway, and it would be useful generally given the kind of security model I suggested. Then software like installers/updaters or package managers can do their jobs in a tightly controlled way, without needing any general access or introducing the accompanying security risks.

[Karunamon]

Silly question; how common is this class of bug? We're talking about an application that lives on the local system, and is probably only exploitable via social engineering bugs (i.e. we convince the user to do something stupid).

I can count the times I've been owned through an app that doesn't run content from the internet (either accessed by or being a server for) on zero hands.

What is the problem that sandboxing every app into a homogenous set of thou-shalt-not's solves?

[Chris_Newton]

Silly question; how common is this class of bug? We're talking about an application that lives on the local system, and is probably only exploitable via social engineering bugs (i.e. we convince the user to do something stupid).

We live in a world where merely installing software might also install a silent updater in the background, or might interfere with existing software that it has no need to touch, or might start monitoring peripherals and phone home with data in ways that could invade privacy. We also live in a world where once popular software, particularly freely available software, sometimes drifts into borderline malware territory over time. In this world, “doing something stupid” can be as simple as turning on your computer and installing (not running, just installing) some of the most popular software in the world today on it.

What is the problem that sandboxing every app into a homogenous set of thou-shalt-not's solves?

To give a few examples, some of us would consider it a bug for everyday applications to splat junk all over a filesystem during a build/install, or to hide data in odd places as part of a copy protection scheme, or to scan a whole disk and automatically upload any files that might support “cheating” in a game to the mothership.

Unlike some here, I am not willing to trust the good intentions of a software developer just because I have paid good money to use their product. Far too many shady practices go on in parts of our industry for that to be a sensible policy without adequate safeguards in place any more.

[Karunamon]

And so the answer is to hamstring what all apps can do in the aim of safety?

...there's a commonly misattributed quote I have in mind that describes this situation.

[pjc50]

Steam runs content from the internet: the steam store, and all the downloaded games are from the internet.

And where do your apps come from? Wasn't there a thread the other day about installing the top apps from download.com and counting the chaos they inflicted on the system? Sure, you can avoid that, but not everyone does.

[Karunamon]

Steam runs mostly upstream vetted content, i.e. it's identical to the app store. If malicious code makes it through there, everyone is varying degrees of boned, sandboxes be damned. Yeah, it has a web browser, but 99% of the time, that browser is pointed at https://something.steampowered.com.

It's not like an average browser like Chrome where your main use case is running random code from random domains made by random people.

Besides, external apps are non-responsive to the question of whether the tradeoff gained by Apple's variant of sandboxing (where there are certain things you are not ever allowed to do, even if they are integral to the primary purpose of your software) is really worth preventing a limited class of issues?

App store requirements don't stop the user from downloading malware outside of the store. They do stop the user from doing certain things outright, and so push the user outside of the store, and so I'd argue, actually reduce safety as a knock on effect.