> > You would need to disallow set-id execution (and, arguably, device
> > access.)

One could claim that /usr/bin/su, being a suid-root program, should be
quite a bit more paranoid about file ownerships than it is.  If su(1)
simply refused to run unless the password file(s) was owned by root
and mode 600, there wouldn't be any spoofing problem.  Or am I missing
another vulnerability?

-wolfgang
-- 
Wolfgang S. Rupprecht 		     http://www.wsrcc.com/wolfgang/
      Decoding genes for the sake of cloning is against the DMCA

(NOTE: The email address above is valid.  Edit it at your own peril.)