In some email I received from Todd Vierling, sie wrote:
> 
> On Mon, 13 Apr 1998, Ignatios Souvatzis wrote:
> 
> : You need something like:
> : 
> : /* save my versions */
> : savestdin = dup(0);
> 
> : /* open childs versions */
> : close(0);
> : open(what I want to be at stdin in the child);
> 
> : callexec();
> 
> "Security problem."  What is stopping the child program from arbitrarily
> reading from the file descriptors dup()ed above?  "Oh, we need to restrict
> forkexec() to only pass descriptors 0-2."  ick.

Given that "forkexec()" is a `new' system call, you could change some
semantics here...such as closing all fd's except those flagged to be
kept open (i.e. FD_CLOEXEC would be implied if not set) and require a
FD_OPENFEXEC (keep open across forkexec).  The library interface to this
might do an fcntl() on stdin, stdout and stderr (NOT 0, 1, and 2).

I'm only suggesting that because forkexec(2) is a `new' suggestion and
since programs need to be modified to use it, it can't hurt too much to
require a bit more work at the same time :)

Darren