> > Setting LD_LIBRARY_PATH to point to a writable filesystem, and putting
> > a "trojan" shared library there, gives any user a trivial way to break
> > out of the sandboxes.  Thor is asking to close that loophole.
>
>Right, I know that one ... attached is a patch which should fix it.
>...
>+ 		if ((prot & PROT_EXEC) != 0 &&
>+ 		    (vp->v_mount->mnt_flag & MNT_NOEXEC) != 0)
>+ 			return (EACCES);

correct me if i'm wrong, but can't we also add

	(VTOI(vp)->i_ffs_mode & (S_IXUSR | S_IXGRP | S_XOTH)) != 0

to that to do what thor was asking about?  hmm...perhaps that kind of
construct is verbotten in this part of the kernel...

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."