Re: The real culprit
"Their existence is proof of a failed security model, incapable of expressing a set of privileges for a process's execution."
This is indeed a significant architectural limitation - and a security risk as SUDO must always run initially as root / UID0.
Windows is a good example of an OS that does it right with fine grained ACLs (and auditing) capabilities built in from the ground up, and features like constrained delegation meaning an account can have just the admin rights it needs for each task. So for instance in Windows you can set seperate permissions and audit requirements for each and every config item. On *nix you can only do it per file.