> Yeah...I tend to use chroot(8) to do the chroot, then have a tiny
> program in the new root that does setuid() and execs the relevant
> binary.  That way there doesn't need to be any untrusted code run as
> root, it's chrooted, and in some cases there can even be no set-id
> programs accessible in the jail....

chroot(8) is fundamentally broken, as it requires the executable to 
be inside the jail.

Cheers,
Julian.