YAMAMOTO Takashi wrote:
>> +	/* XXX Must be owned by root. */
>> +	if (va->va_uid != 0)
>> +		return (EPERM);
>> +
>> +	/* Must not be writable by group or other. */
>> +	if (va->va_mode & (S_IWGRP | S_IWOTH))
>> +		return (EPERM);
>> +
>> +	return (0);
> 
> this kind of permission checks are filesystem dependent.
> consider acls or remote filesystems.

yes, that's why it's "simple".

how do you suggest doing it?

-e.