Attacker now waits.  Eventually, someone runs something that uses the
   real libfoo.so.  The dynamic linker finds the bogus cache file, sees it
   has the right checksum-- and uses its symbol values.  Oops.


updating the cache should be a root-only thing.  anything leads to
maddness as you say.  also, it seems that set-id programs should
probably _not_ use prebinding (hmm.. need to think more on that one).


.mrg.