Thor Lancelot Simon <t...@panix.com> wrote: > The point is, this is interesting functionality that makes something > new possible that is potentially useful from a security point of view, > but the new thing that's possible also breaks assumptions that existing > code may rely on to get security guarantees it wants.
Well, it is standard mandated and we want to be standard compliant. If it is a security hazard, we can have a sysctl to disable the system call. Something like sysctl -w kern.fexecve = 0 and it would return ENOSYS. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz m...@netbsd.org
