Re: The real culprit
> That said, something like visudo (if installed) would get around that ;-(
visudo is not setuid.
It's better in this case for visudo to run with the permissions of the invoker, rather than itself be granted permissions to edit /etc/sudoers.