In message <20050406170637.GA80072@gateway.pointless.nl>, Peter Postma writes:

>
>You might not think this improves security, but I think it does.

I agree, though /etc/security should be fixed so that it doesn't 
complain about the "_" character.
>
>And why should we do this different than OpenBSD? Their pflogd(8) has
>been developed in a way to reduce potentional security issues, why
>should we ignore that?
>
There are often lots of reasons to disagree with them; this isn't one 
of them.  We really want to limit the damages that can be done by any 
single malfunctioning program.

A more interesting question is whether or not there's a better way, 
since lots of special-purpose logins create their own manageability 
headaches.  Perhaps something with systrace?

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb