>What if there were a sysctl that would do something like the following
>for every non-set-user-id exec():
>
>	if (!exec_with_priv_ok && (geteuid() == 0 || getuid() != geteuid())) {
>		if (getuid() != 0)
>			setuid(getuid());
>		else
>			setuid(UID_NOBODY);
>	}
>
>The exec_with_priv_ok flag would be a new extension to the exec() family
>for use by setguid programs that wish to pass on their privileges to a
>child process.  It could in fact be the value of the new sysctl flag by
>default.

while i can appreciate what you're trying to do, your sample code
would (if understand it) a) require the UID_NOBODY value to be
compiled into the kernel and b) would not work for the situation where
"exec_with_priv_ok" was unset and uid==euid==0.  this would end up
calling setuid(NOBODY).

rather than add yet another layer of "obscurity" and require changing
many programs, why don't "we" just "fix" the programs?

-- 
|-----< "CODE WARRIOR" >-----|
andrew@echonyc.com (TheMan)        * "ah!  i see you have the internet
codewarrior@daemon.org                               that goes *ping*!"
warfare@graffiti.com      * "information is power -- share the wealth."