Playing around with find ${dir} -type f -perm -04000, I see that there are no longer any more suid executables placed in /usr/libexec or /usr/X11R6, so I believe these can be removed from install.sub. Based on the comments, this hasn't been touched in a long while.
diff bfe4739adb21458b6ca3fc690dff9c4b271f0330 /usr/src blob - 98d5313bcc8536593785d44cc15aa14faf4d92ee file + distrib/miniroot/install.sub --- distrib/miniroot/install.sub +++ distrib/miniroot/install.sub @@ -3021,14 +3021,11 @@ do_install() { echo -n ",nodev" # The only directories that the install puts suid binaries into - # (as of 3.2) are: + # (as of 6.8) are: # # /sbin # /usr/bin # /usr/sbin - # /usr/libexec - # /usr/libexec/auth - # /usr/X11R6/bin # # and ports and users can do who knows what to /usr/local and # sub directories thereof. @@ -3040,9 +3037,7 @@ do_install() { case $_mp in /sbin|/usr) ;; /usr/bin|/usr/sbin) ;; - /usr/libexec|/usr/libexec/*) ;; /usr/local|/usr/local/*) ;; - /usr/X11R6|/usr/X11R6/bin) ;; *) echo -n ",nosuid" ;; esac echo " 1 2"