Or you could just not trust the code to begin with. The user should be able to run any program they want to. The OS just shouldn't trust the users programs. (And shouldn't autorun programs that the user didn't request).

Yes, but UAC has the same weakness as Linux permissions - it only protects the OS and programs, not the user-data. Programs can screw with userland data all they like without user permission.

The point is that UAC will (hopefully) prevent installing untrusted code in the first place, there by preventing those types of attacks. Unfortunately, you have to either trust that the user knows what programs are good, or go down the dark road that leads to things like an app store.

Yeah but ... in Linux at least you have to set +x yourself on the downloads. Which is basic sanity check.

In windows there are too many ways to get elevated. And only one level of elevation.

not as if users care about watching out before setting +x.

After all, there are tons of popular projects requesting users to run "curl http://... | sudo sh" and consider that a good idea, too.

Exactly. This is just a more elaborate form of Windows little pop-up-boxes asking you "are you sure you want to...."

I keep trying to teach my nephews that the default answer to that question is no... but of course, "yes" is the way you get anything done.

Normal users just set them without thinking twice about it.

Do you know one of the most asked questions in Mac OS X user forums from new users is how to disable root?

An interactive shell (like bash/python/irb) is untrusted code (i.e the user can type whatever the hell they like). But I don't/shouldn't need root to run it.

His point was that you need root "to install it", not "to run it".

Wait, but 'install' means 'download' ? So if chrome was a single .py file, which I downloaded, and ran with python. Thats fine. But because it's a .exe, i need root... ?

I fail to see the difference. Sorry.