A major caveat in tools like sudo and doas for that matter is that they rely on setuid binaries and privilege escalation in order to run commands as root.The design is not ideal, and also drags in a few limitations:The whole user session needs to retain capabilities to perform privilege escalation.They don’t work when running an entire user session in a restricted user namespace.setuid binaries limitations on how the whole system is secured.An interesting alternative with a is s6-sudod, which sp...