long long ago we had this < https://fedoraproject.org/wiki/Features/RemoveSETUID
> There is probably a good case to be made that setuid is more security then a random service that can setup I totally agree, but my humble (maybe ignorant and less informed) idea is something like pam_oddjob_mkhomedir it's a process (protected by policy kit) which has a small humble job, which is to configure network (ex. add veth pair to some bridge and the given user container)
