Re: For example ...

[smb () research att com (smb () research att com)]

         Hear hear.  Probably a losing battle, but it gets my vote.
         The *best* way would be for the program to use setruid() to
         switch euid and ruid at the very beginning of the file and
         only switch back when it NEEDS the privileges instead of doing
         everything with privileges and dropping them when the
         designers thought they didn't need them.

Better, but not ``best''.  Doing too much bookkeeping is a sure-fire
recipe for trouble, and if a program even potentially has privileges
accessible via setreuid it can still fall victim to a buffer overflow
attack a la the Internet Worm.  Or maybe it can be tricked about what
files to open with privileges.

I much prefer a design where privileges are exercised in one spot,
and then irrevocably abandoned.  It's even better if it can do the
privileged stuff before any sort of interactions or complex decisions,
though of course that isn't always possible.  Still, a two-process
design can buy a lot of safety.