In message <200011201844.eAKIiec00461@saruman.ics.muni.cz> Jarom r Dolecek writes:
: Bill Studenmund wrote:
: > The difference is not that it can be less aware, but that it has no idea
: > what has happened to the ids - it can't assume it is running at lower
: > privileges, whereas a set-ID program should have a good idea what
: > privileges it is running at.
: 
: We don't need to care about whose privilege is "higher". We only
: need to ensure that potentially exploitable things are done
: with id of user who executed the program.

That's not entirely true.  We need to also prevent disclosure of
information that shouldn't be disclosed.  This information might
appear in an error message.

Warner