So: the story we cooked up at the beginning of this topic is not entirely fictitious—well, it is, but it has a remarkable real-world parallel: the well known Wireshark (previously called Ethereal) network packet sniffer and protocol analyzer application.
On older versions, Wireshark used to run as a setuid-root process, to perform packet capture.
Modern versions of Wireshark separate out the packet capture into a program called dumpcap1. It does not run as a setuid-root process, it runs with required capability bits embedded into it, giving it just the privileges it requires to do its job—packet capture.
The potential payoff to a hacker now performing a successful attack on it is thus dramatically reduced— instead ...