>Indeed, sometimes it would be nice to *remove* normal privs. For
>example, many daemons are often overflow exploited by calling
>exec, but normally would never call exec themselves. They could give
>up the ability to call exec.

i did this once, for exec specifically.  i added an int to struct proc
that counted to number of times a process was allowed to call exec (-1
is unlimited, 0 is never, 1 is one, etc), added a syscall to allow
setting it from userspace (anyone can shoot themselves in the foot and
set it to something other than -1, or lower than it is, but no one can
raise it or set it to -1), and tweaked exec to check and set this
value.

it worked fine, but no one cared, so i never modified inetd to take
advantage of this.  about the most constructive comment i got was that
my time would be better wasted on implementing acls for system calls
and removed suser() from the kernel entirely.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."