Date:        Mon, 13 Nov 2000 21:02:27 +1100
    From:        matthew green <mrg@eterna.com.au>
    Message-ID:  <12958.974109747@eterna.com.au>

  | to a significant portion of us, such an audit is *never* good enough,

The whole notion of setuid depends upon confidence in the program.
It is an "all or nothing" kind of priv granting - the only way to
safely turn on a setuid bit, ever, is to have confidence in all of the
code that is being affected.   It has always been that way - the only
remedy to this is to switch to some other priv model entirely.

  | i wish it were that simple.  (c) makes it "impossible."

Fortunately (c) is irrelevant - you can't possibly be asked to guarantee
that all code added by anyone, ever, in the future, will be safe (which
was what (c) was requesting).  Caveat Emptor is important - those who
add the setuid programs must take responsibility for their actions.

kre