Of course, because that is an easy way to plug a security hole.
I was thinking that it would be good to add all the checks to
let suid scripts run in a secure manner. I think it would involve
resolving symlinks to find the true inode which would be used as
the file. Then of course the inode needs a filename, so we
generate one in /proc/suidexec. (damn unix filesystem...)
You would also need a shell that ignores $IFS and such.
You could call that a user space issue, or you could just
completely clear the environment.
This is post-2.0 of course, because it takes time to find all the
checks that are needed.