In message <20051028144408.GA622@panix.com>, Thor Lancelot Simon writes:
> mount all filesystems containing devices read-only, so that I
>can be *guaranteed* that no new device nodes will be available to user
>processes no matter what else changes.
>

OK -- how do you do that?  That utterly failed for me when I tried it.
Or rather, I ran into trouble when things like init couldn't do 
operations on the devices.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb