The SUID bit solves this paradox. By setting the SUID bit on su , the process starts its life as root (EUID 0).
If my_tool tries to read a file owned by root (UID 0) with permissions set to 600 (read/write for owner only), the kernel checks the process EUID. It sees 1000, compares it to the file's owner (0), and immediately denies access. su must be suid to work properly
Many lightweight images, like Alpine Linux , exclude the SUID bit by default to reduce the attack surface. The SUID bit solves this paradox