still, a bad guy can write an application just for overflowing /var.
   	with setuid'ed xterm, it is not really possible (bad guy may be able to
   	start as many xterm as I can).  i don't have the complete solution
   	anyways but i think it still better to use setuid'ed xterm (of course,
   	xterm should drop setuid earliest possible).


this is false.  i can overflow /var on any machine that makes a log entry
for some action i can take as many times as i like.  eg, logger(1).


xterm is a program we should *definately* want to remove any privs from.