So where should they put their temporary files?

On Wed, 29 May 2024 17:20:08 +0100
Let me come back at my point, then: security precautions predicated on
the assumption that an Authorized Person is not operating in good faith
and due diligence concordant with their level of authorization suffer
from severe diminishing returns with each additional layer of safeguard
and may even reach a point where they're *counterproductive.*

Restricting the ability to install software to a designated group of
administrators, f'rexample, is a perfectly sensible thing to do,
especially in a large shared system. But once you've created such a
group, assessing whether a given individual is trustworthy and
knowledgeable enough to be a member of it is an organizational problem,
*not* a technical one.

Some measure of safeguarding may still be worth the bother despite this
(while Windows's "hey, you got this thing off the Interwebs, you sure
'sokay?" prompts annoy me personally, I can see the logic behind them,)
but every additional layer calls further into question what the point
of even having the group is in the first place, and whether *anyone*
should really be a member of it. If not, why did you let them in? If
so, why are you hampering their ability to exercise that authority?

This has become semi-famously an issue in medical software, for
instance. Developers of some major EMR systems, driven by regulatory
and legal CYA concerns, have put so many are-you-sure and please-
acknowledge-XYZ prompts into their core workflow that doctors (who are,
shockingly, only human) end up clicking through them machine-gun style,
and pay *less* attention to the actually critical stuff than they
would've if it weren't buried in an avalanche of white noise.

And doctors aren't software specialists; sysadmins *are.* Throw too
many safeguards in the path of a sysadmin just trying to get shit done,
and you don't end up with a sysadmin forced to question whether they
really *are* sure, or even a sysadmin powering doctor-style through a
set of nagging little obstacles they aren't thinking about; you end up
with a sysadmin who will - guaranteed - develop a process of *disabling
the entire safeguard system* for the duration of the job, and then (if
you're lucky) re-enabling it afterward.

We saw exactly that with UAC in Windows Vista; it was so bad that the #1
method for dealing with it was to disable it entirely, and people were
so burned by it that that remained true *well* into the Win10 era,
despite MS's attempts to temper it into some measure of reasonability.

So no, I don't think that a couple examples of minimal assistance in
situations where direct supervision is either absent or impaired *do*
constitute a hard-and-fast argument against temperance in security
design as a general principle. Sometimes a little extra safety is worth
it, sometimes not; and sometimes you're actually shooting yourself in
the foot.

And if I had to place my bets on where changing the behavior of
fundamental system calls in a major OS family where they've been
standard since the '70s lies on that spectrum...well, it's not gonna be
in the "worth it" zone.