By the way, I think this here is an *extremely* important point:

>... But if you can temporarily drop privileges, then you should
>always run in the lower privilege except for the exact places where you
>need the higher privilege.

In other words, given the mechanism we have now in the various BSDs,
EVERY SETUID PROGRAM SHOULD BEGIN WITH:

	seteuid(getuid());

I might even argue that we should change all our kernels to make "setuid"
really be "set saved uid", so that programs *start out* in this mode. :-)
(There is a slight problem with that aside from the obvious historical
incompatibility: the program then has to have its privileged ID compiled-in.
Could stick something in the startup code, I suppose, with a global variable
__privileged_uid...)

(This would probably close a lot of small holes.  Then you just want
a few places where do you:

	optional: block all signals;
	seteuid(privileged_ID);
	fd = open(path, flags, createmode);
	seteuid(unprivileged_ID);
	release blocked signals;

more or less.)

Matthew Orgass already said this; I just wanted to agree with and
emphasize it.

Chris