It seems to me that the only correct solution which can really work in
   these cases is a library audit, make it clear which library routines
   are subject to end-user (as distinct from application) manipulation of
   their actions, either directly, or (as here, indirectly about half a
   dozen layers deep into the name->address translation routines) and then
   make sure that all setuid applications that call those library routines
   do so with the uid set in the appropriate form for correct operation.



to a significant portion of us, such an audit is *never* good enough,
because (a) bits will be missed, (b) new bits will appear all the time,
and (c) we can't possible audit every program that is setuid that may
be used on a NetBSD system.


i wish it were that simple.  (c) makes it "impossible."