setuid

For the setuid system call, the authentication of the root processes is the same as in the execve case. A user running a setuid program which attempts to invoke setuid(0) to set the (real) UID equal to 0, is enforced to type the root password. The password keyed is compared with the encrypted copy kept in the Access Control Database. In case of a password mismatch the setuid(0) invocation is denied. So far only the program su (a setuid program which runs a shell with substitute user and group ID) needs to be monitored with this mechanism.