AFAIK there is no valid reason to do so wrt apps that need root privileges to perform certain tasks that are either already owned by root.
OTOH, taking away suid/sgid bits and using sudo to grant authorization would be a valid reason, or having dev tools like compilers in a separate group. Then again dev tools shouldn't be on servers...
Another reason would be in the "security by obscurity" category, taking away any g+o rights to mask an app being there. There are many workarounds for finding out, so that's not a valid reason and the result would only give you a false sense of security.
|