Hear hear. Probably a losing battle, but it gets my vote. The *best* way would be for the program to use setruid() to switch euid and ruid at the very beginning of the file and only switch back when it NEEDS the privileges instead of doing everything with privileges and dropping them when the designers thought they didn't need them. Better, but not ``best''. Doing too much bookkeeping is a sure-fire recipe for trouble, and if a program even potentially has privileges accessible via setreuid it can still fall victim to a buffer overflow attack a la the Internet Worm. Or maybe it can be tricked about what files to open with privileges. I much prefer a design where privileges are exercised in one spot, and then irrevocably abandoned. It's even better if it can do the privileged stuff before any sort of interactions or complex decisions, though of course that isn't always possible. Still, a two-process design can buy a lot of safety.