Hi,
I realized the protection of descriptors 0, 1, 2 of suid/sgid
programs can be very easily done with 'nonmature' descriptors,
rather than the hack to open /dev/null. This would render those
descriptors unvisible from userland (any access would return EBADF),
but the slots would be used up and thus new descriptors won't
accidentaly land into 0, 1, 2.  close(2), dup2(2) would work as
expected.

I.e. my proposal is to falloc() the descriptor, but NOT
FILE_SET_MATURE() it, and remove the icky /dev/null thing.

Opinions?

Jaromir
-- 
Jaromir Dolecek <jdolecek@NetBSD.org> http://www.NetBSD.org/Ports/i386/ps2.html
-=- We should be mindful of the potential goal, but as the tantric    -=-
-=- Buddhist masters say, ``You may notice during meditation that you -=-
-=- sometimes levitate or glow.   Do not let this distract you.''     -=-