>> (I'd actually _like_ to see something capabilityish, in which case >> "can use fexecve" would be a capability that could be removed, from >> init if need be, on systems that care about this sort of thing.) > Couldn't we have an enable/disable sysctl variable for this?
Certainly. I would count that as "something capabilityish" - after all, assuming it's per-process, in what ways, aside from the APIs used to control it, does that differ from a capability? Or, to return for a moment to my roots, $ SET PROC/PRIV=FEXECVE /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
