The real culprit
Is the deliberately holed *nix security model. Once again a SUID/setuid utility strikes.
Because of SUID, the *nix security model is not a security boundary. A security boundary guarantees that every access is checked against an access policy or permission set. By design, the *nix model is that if you are root you bypass all security checks.
It is a deliberate hole, drilled in the model out of necessity since the model is otherwise not capable of expression necessary permissions in modern environments.
This is going to bite again and again like it has been responsible for numerous vulnerabilities and exploits in the past.