...
The following non-compliant code example compiles cleanly on most POSIX based systems, however no explicit checks have been made to vouchsafe ensure that privilege relinquishment is carried out successfully. This may be dangerous depending on the sequence of the preceding privilege changes.
...
The function in this non-compliant code example correctly follows the principle of least privilege, however, due to inconsistencies and implementation defined behavior of certain functions (such as setuid()) across various Operating Systemsoperating systems, the final result may be unexpected. Here, when privileges are given up temporarily for the final time, the effective User user ID of the process is set to the real user ID. Unexpectedly, the call to setuid(realuid) that follows, does not affect the saved set-user-ID since effective UID is no longer 0 (Except on FreeBSD and NetBSD). If a seteuid(0) gets executed maliciously after this statement, root privileges would be recovered from the saved set-user-ID.
...