If it can perform arbitrary file writes (or even reads) then sure, I'm not at all surprised. A program with root access to the filesystem should be assumed to be a latent portal to arbitrary root execution, unless very thoroughly proven otherwise
There's a reason setuid is considered such a dangerous bit, and why "get root via this secure-looking setuid program" is a common exercise in computer security courses. Gotta look out for path traversals, TOCTOU, untrusted environment variables etc.
Part of the logical problem is the clash of security models. The program may well have been written to guard against untrusted input, but considers that to only be input files, not the commands the user gives. On the basis that "well if the user wants to hurt themselves by writing to /etc/shadow then it's their choice". But the situation in practice is a confused deputy problem, where the sysadmin wants the user to be restricted (despite the process not being restricted) but the program doesn't "know"
There's a reason setuid is considered such a dangerous bit, and why "get root via this secure-looking setuid program" is a common exercise in computer security courses. Gotta look out for path traversals, TOCTOU, untrusted environment variables etc.
Part of the logical problem is the clash of security models. The program may well have been written to guard against untrusted input, but considers that to only be input files, not the commands the user gives. On the basis that "well if the user wants to hurt themselves by writing to /etc/shadow then it's their choice". But the situation in practice is a confused deputy problem, where the sysadmin wants the user to be restricted (despite the process not being restricted) but the program doesn't "know"