setuid and setgid are short for "set user ID" and "set group ID". It allows users to run a program with the same user and group as the owner and group of the executable. This lets the user temporarily have more privileges than he normally would. For example, if a program has the setuid flag set and is owned by root, the program will have the user root when executed by a normal user. This is essential for allowing non-staff users to run programs such as ping, because ping must send and listen to packets on a network interface. Normally, only root would have access to the network interface, but setuid allows any user to run ping.
As you can probably guess, this could be a massive security risk. If the setuid is set for a badly designed program, a user could exploit a bug to become root.
Here is a command to detect any files that have the setuid flag:
# find / -perm -4000 /usr/bin/chfn /usr/bin/chpass /usr/bin/chsh /usr/bin/doas /usr/bin/lpr /usr/bin/lprm /usr/bin/passwd /usr/bin/su /usr/libexec/auth/login_chpass /usr/libexec/auth/login_lchpass /usr/libexec/auth/login_passwd /usr/libexec/lockspool /usr/libexec/ssh-keysign /usr/sbin/authpf /usr/sbin/authpf-noip /usr/sbin/pppd /usr/sbin/traceroute /usr/sbin/traceroute6 /sbin/ping /sbin/ping6 /sbin/shutdown
The files above are trusted and audited by the OpenBSD developers and part of the operating system.
WARNING: If you see any other binaries, then watch out! You may want to delete packages that created those files, or delete the files themselves. These files may be a serious security risk to your server.