In a way, what we've discussed so far was the simple version because we could solve all our problems by dropping privilege before running the external program. This is a sound proposition in cases such as crontab because we don't really care what the user does with the file; it's his to break or mend.
However, there are cases when the external program either needs increased privilege, or when the set-user program relies on the sub-process functioning properly.
For example, BSD comes with a utility called sliplogin. This is a set-user root program that it is used by dialup users who log into their regular account, and then run sliplogin to configure their modem connection to run SLIP.3.11 As part of that process, sliplogin will run a shell script to set up network routes etc. Of course, this shell script needs to run with root privilege, otherwise it won't be able to modify the kernel's network configuration.
Another example is sendmail,3.12 the standard mail delivery program on Unix. It has had it's share of security problems, and for several years it has been the epitome of bad security karma (this changed quickly when the first Java implementation was released).
sendmail is a single huge application that will act as a SMTP server, send locally generated mail, deliver all queued email, and much more, depending on the command line switch you invoked it with. And it is installed set-user root.
For example, sendmail can be invoked with the -bi switch that tells it to rebuild the aliases database from the /etc/aliases plain text file (usually, the alias database is kept in a special format that allows faster lookup than just searching a text file). Rebuilding the database happens via external commands such as makemap. In this case, it is imperative that sendmail makes sure that it executes the peoper makemap program, and that the user cannot interfere with makemap's operation. Otherwise, an attacker might be able to put arbitrary aliases into the database, with possibly fatal consequences to the privacy of others, and overall system security.
Does that mean it has to run makemap with root privilege? Definitely yes! If sendmail dropped privilege prior to invoking makemap, otherwise an attacker would be able to attach to the process using the ptrace system call and interfere with its execution.
Where to discuss setuid vs ptrace issues?