>The idea is to add a few more environment variables to ld.so;
>	LD_CHROOT	directory to chdir(2) then chroot(2) to
>	LD_CHROOT_UID	uid to run as (optional)
>	LD_CHROOT_GID	gid to run as (optional)
>	LD_CHROOT_GIDS	comma separated list of secondary gids (optional)

Sounds reasonable.  Do we support late binding?  I know I had problems
running smtpd chrooted on solaris until I added some code to force it
to do a gethostby*() before calling chroot().

If the answer is yes, should LD_CHROOT force bind now semantics?

>If LD_CHROOT is set and the process isn't setuid or setgid, then

Yep, sounds ok.  Allowing LD_CHROOT for setuid progs could open
a can of worms - that you don't get with chroot(8).

--sjg