>>Yes, highly verbotten.  There is another way to accomplish this.  I'll
>>take a look, but I would suggest making THAT check dependent on a sysctl
>>variable that defaults to "off".
>
>I already suggested the sysctl.  Problem is, this check doesnt
>acutally close the loophole Thor is worried about, unless you also
>(at a minimum) prohibit anyone from setting x bits on files on a
>filesystem mounted writable-but-noexec.

oh yeah.  there's always something.  i guess the mmap/noexec check is
the "best" solution.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."