>what you can do though is remove the restriction on the ports, then use 
>systrace to restrict them.  this gives you the ablility to have sendmail, 
>etc. running as an unpriv user, but still allowed to bind to the proper 
>port(s).

	systrace can enforce policy for certain program (by
	/etc/systrace/usr_bin_finger and such), not all programs.
	how do you suggest enforce it for multiple programs available on the
	system?

itojun