I love how every discussin here eventually derails into "XYZ sucks". Yes, XYZ sucks. But FGH sucks more. I want to do what FGH does, because while FGH sucks, it solves a real-world problem.
Now back to PrivEsc, I actually found Antenore's suggestion inspiring. It would work if we could force only part of the command to remain constant, and use the constant part to perform non-interactive authentication (e.g. by verifying a provided secret). Essentially delegate authentication to a sub-command in a Bernstein-style exec chain, like this: $ sudo -n -- verifyme -- ./my-amazing-script ^ substitute doas, sup, etc ^ authn helper, no suid ^ arbitrary; exec only if authn successful Pros: - Can perform non-interactive verification - No new suid cruft on your system; can be written in plain sh - No black magic, keep existing setup almost untouched - Just one extra rule in sudoers / doas.conf / config.h - Reuses and plays nice with existing PrivEsc methods Cons: - ? <3,K.