>For those who don't have HP-UX 10 systems handy priviledge
>groups associate groups (although I'd do it to the granularity
>of users) access to certain system capabilities.
A scheme like this, if done right, could eliminate the vast majority of
security holes that show up in unix... While we're at it, it would be a
good idea to have restrictions also, such as not allowed to fork, not
allowed to exec, not allowed to open files for writing (possibly even
with a list of files excepted from the restriction). This could be used
to prevent priviledged programs from expanding their access. The program
should also be allowed to add restrictions to itself or drop privledges.