So, after rummaging around for what seemed like forever to find my STEAM details, I used firefox and checked my account. Naturally, I had to download the STEAM software and then the few games I had in my library.
Now, keep in mind that this was all done through the Firefox browser using a standard user's account.
After installing everything and taking it for a test run, I did a
whereis steamas a matter of habit and was surprised to see files in /usr/bin. On checking, there are indeed steam & steamdeps executables in there. Both owned by root with rwxr-xr-x permissions.
Now, given that at no time was I asked for root authentication how did they get there with those permissions? I could understand if they were installed in my /home... but they're not.
This concerns me deeply. Even the idea that a user can install something in another user's account simply by using a browser is disturbing.
Or am I misunderstanding some basic concept and over-reacting?