@2ffa8eb4 hm. But that basically necessitates solid RPC between an unprivileged client and a privileged system management daemon, which in itself is exactly where we tend to find parsing bugs for decades (like the glibc one triggering this discussion is).
I'd honestly rather see a kind-of-single-syscall-suid mechanism that only works with a sensible verifiable pledge()-equivalent. Like, think of an xattr that contains ebpf code describing that a privileged open can open exactly one file, and...