This is what I'd agree with. The concept of user and group are hand-me-downs from systems built for sharing networked resources and pretty much requires some kind of centralized AAA to make any sense. They're a model designed for protecting the system from users and users from eachother, but that doesn't make any sense on a personal computer where the more pressing need is to protect the user from malicious applications.
> Running applications as restricted users has been standard practice for decades
...as a way of preventing users from interfering with the system or other users in multi user systems. Running applications as a user different from yourself is an ugly hack we've started doing because we don't have actual control over what our applications can access, so things like ransomware are possible despite not having system level access. Since Plan9 never took off, containerization of applications is the next best thing.
What I'm saying is, running in a restricted user account does absolutely nothing to protect the user running in the restricted account from malicious applciations. That's how the user/group model fails in personal computing.
Once you add backup in the picture, the local users are great. My main account can have all the ransomware it wants, all the backups are gong to stay intact, so I can restore the files.
* in the real life, there is “sudo hole”, but this can be fixed within the current user concept.
Why won’t local backups be sufficient against ransomware? Is it because of privilege escalation attacks?
I was under impression that even with zero days, using modern distribution and auto updates will minimize the amount of time the system is vulnerable, so for most of time, it will be sufficient.
And the advent of containerization is becoming standard practice now, precisely because it makes more sense for certain situations, where the user abstraction has proven less useful and more cumbersome. That was the point of this subthread.
I like being protected from writing to /dev/sda by mistake. If an OS is going to expose its guts to the world it makes sense to have permission controls on the vulnerable parts.
