I've been thinking about this for a while.  I think a possible solution
could be a flag similar to nosuid.

In essence, this flag would force a small change to the semantics of
following symlinks.  Symlinks would be followed iff they are owned by
root or what they point to has the same owner as the symlink.

I think would seal up the security holes with symlinks without totally
disabling them.

Comments?
-- 
Matt Thomas               Internet:   matt@3am-software.com
3am Software Foundry      WWW URL:    http://www.3am-software.com/bio/matt.html
Westford, MA              Disclaimer: I disavow all knowledge of this message