What I've been playing with so far
pppd, wifitools, reboot and ip are setuid root.
skyagent is setuid/setgid root (REALLY, if anyone knows ANYTHING about this, now is the time to speak up).
pppd can execute scripts through pppd connect...
so, I've done this so far...
to make /sqlite_stmt_journals/callit.sh:
echo "exec /system/bin/pppd -detach modem crtscts \\" > /sqlite_stmt_journals/callit.sh
echo "/dev/tty 460800 noipdefault defaultroute \\" >> /sqlite_stmt_journals/callit.sh
echo "noauth name fakeUsername connect \'/sqlite_stmt_journals/dialer\'" >> /sqlite_stmt_journals/callit.sh
to make /sqlite_stmt_journals/dialer:
echo "exec /sqlite_stmt_journals/su - /system/bin/sh" > /sqlite_stmt_journals/dialer
and then I drop su into /sqlite_stmt_journals.
After that, I chmod everything 0755 and chmod su 4755.
tried to have dialer chown root su, but that doesn't seem to work.