For some programs, increased privilege is needed only to set up the application in a certain way. For instance, the reason why ping is setuid root, for instance, is because it needs to create a socket for receiving ICMP messages.3.7 Once it has that socket, it doesn't need root privilege anymore. So if it opens this socket right as the very first thing inside the main procedure, it can drop its root privilege completely, thereby dramatically increasing the security of this program.
int
main(int argc, char **argv)
{
int fd;
/* This needs root privilege */
fd = socket(PF_INET, SOCK_PACKET, IPPROTO_ICMP);
/* Drop root privs forever: */
setuid(getuid());
}
Any bugs in the subsequent code don't give the caller much in terms of increased privileges, because the code simply runs with the privilege of the invoking user.
However, this is still no excuse for becoming sloppy! The code does retain one special privilege, which is the ICMP socket, and by exploiting e.g. a buffer overflow, an attacker would be able to obtain that socket.
Now, an open ICMP socket is a far cry from the ability to e.g. append a line to the password file, which is why it's a good idea to drop privilege. However, in the hands of a savvy network programmer this humble socket can be used to attack the local network infrastructure, and obtain increased privileges. The difference is that such an attack would probably depend a lot on the local network characteristics, and thus have a very low ``script kiddie'' appeal.