According to Todd Vierling:
>
>If you need repeated access to a file as a particular user ID but want to
>avoid opening root holes while the "main" process is running suid, you could
>socketpair(), fork(), give up all privilege other than that user's ID, and
>the subprocess can then open a specific, restricted subset of files as that
>user and pass them to the parent.

*ahem* I did suggest exactly that before this thread hit the tech*
mailing lists - that seemed to get ignored.  The downside is that you
are forced to fork another copy of the program.

>  This is, however, just a blown up version
>of the simpler:
>

I have seen that not work on some other versions on unix which may be
why it does not get used.

-- 
===============================================================================
Brett Lymn, Computer Systems Administrator, BAE SYSTEMS
===============================================================================