Think of any system as a castle. Having access to an interactive shell is like standing outside the King's bedroom. Sure, you might not have the keys to the bedroom door, but you've already made it past the archers, the moat, the drawbridge, the boiling oil, and the King's personal body guards. You don't put a 3 ton door on the King's bedroom and say, "Well, that should keep the invading army out!"
No, you strengthen all of the defenses leading up to the door so you never have to worry about just how strong that door is. That's not to mention that the King probably doesn't appreciate having to swing a 3 ton door every time he wants to go to sleep.
Same idea with computer security. Only give accounts to trusted individuals. Assume anyone with an interactive shell can quickly gain root access. Physical access is even worse. If you can sit at the keyboard, then you control everything. This is why most banks have key servers locked in real physical vaults with 3 ton doors.
Honestly, I'm a little surprised. This is all "Computer Security 101" level stuff here. Getting worked up about "cracking" passwords given local access is akin to worrying about someone spying on you when you visit this site: http://www.josephcrawford.com/2006/11/11/scary-isight-trick/ . If you want some real security research meat to sink your teeth into, the pwn2own contests are always pretty good, especially the most recent one (http://arstechnica.com/security/news/2011/03/pwn2own-day-one...). You might notice, if you read about the pwn2own contest, that the contest is over as soon as the exploit runs arbitrary code on the local machine and successfully breaks out of the application sandbox. At that point, you're knocking on the door...
That an attacker has physical access does mean that your computer is compromised, so you're half right.
If you seriously think having an account on a machine is as good as having the root account, then you should call up every shared hosting provider and let them know. They hand out accounts to any asshole with $10.
jballanc didn't say you can't guard against privilege escalation. He said, assume you can't. The point is subtle but important: given limited resources, you should allocate the majority of them to keeping the hacker off your system in the first place.
I'll leave it as an exercise to the reader to compare and contrast the entirely different use cases between a shared hosting server and a desktop machine running OS X.
I can create an account on the machine without having root access. Which gives me a shell. Which means I can exploit a flaw to change root password. Which means I have access to cookies and other fun things. Which means I can probably access that person's gmail which is pretty much game over, man.
Bedroom analogy is wrong. The computer is the castle. They have it. The problem is that your lord knows the secret entrance to your main castle (in the cloud). You want one of two things to happen: Keep the lord safe, or kill the lord so his secrets are gone with him. The attacker formatting the machine, or replacing the hard drive is fine, he already physically has it, just like he can take the vault and throw it outside and make a new one. However you don't want him accessing that vault.
No, you strengthen all of the defenses leading up to the door so you never have to worry about just how strong that door is. That's not to mention that the King probably doesn't appreciate having to swing a 3 ton door every time he wants to go to sleep.
Same idea with computer security. Only give accounts to trusted individuals. Assume anyone with an interactive shell can quickly gain root access. Physical access is even worse. If you can sit at the keyboard, then you control everything. This is why most banks have key servers locked in real physical vaults with 3 ton doors.
Honestly, I'm a little surprised. This is all "Computer Security 101" level stuff here. Getting worked up about "cracking" passwords given local access is akin to worrying about someone spying on you when you visit this site: http://www.josephcrawford.com/2006/11/11/scary-isight-trick/ . If you want some real security research meat to sink your teeth into, the pwn2own contests are always pretty good, especially the most recent one (http://arstechnica.com/security/news/2011/03/pwn2own-day-one...). You might notice, if you read about the pwn2own contest, that the contest is over as soon as the exploit runs arbitrary code on the local machine and successfully breaks out of the application sandbox. At that point, you're knocking on the door...