> Going further in this direction, why not completely split privileged
> and non-privileged syscalls and have the standard syscalls always
> use the real id?

What if I actually want to run a library routine (say, fopen) with my
privileged ID?

Even Chris Torek's suggestion that setuid programs should run with the
real uid except at specific points doesn't really solve the problem.
Say a setuid program needs to get and use Kerberos tickets as root
(because it's fetching them from a keytab readable only by root).
Using the Kerberos tickets as root involves doing hostname lookups as
root.  Doing hostname lookups as root bumps up against the HOSTALIASES
problem.

(I'm not sure there is a satisfactory solution, other than deciding
that library routines shouldn't reference environment variables.  And
that would conflict with history and--in some cases--standards, so it
doesn't really work either.)