>> 3. Hardest/most flexible: set the appropriate paths through /proc/sys=
>;
>> disable Java binaries unless the paths are set.
>>=20
>> I'll try to hack up #3.
>>=20
(Hmmm, your mail indicates something is >=20, but what?)
> Seems someone beat me to it... except: it doesn't work when
> binfmt_java is a loadable module. Also, /bin/bash is still
> hard-coded, which is unacceptable. If these things have to be
> scripts, it should be handled through the standard #! mechanism.
> Furthermore, it still seems to me there is something wrong with the
> code when executing a binary in a different directory.
This is WRONG. The Java binary format has already been defined.
It can not contain the #! stuff because it is a binary format,
not a text format. The #! stuff is not portable anyway, because
most interpreters do not have a standard location accross all the
different types of Unix clones.
I'm starting to think that a general mechanism for executing scripts
based on magic number would be both useful and practical. There
could be a table in /proc that root can fill with various numbers
and paths. By default it would have DOS EXE and Java. Sick and
twisted admins could add image formats. Why stop them? :-)
The idea to run /sbin/magicexec on unknown binary formats
is broken, because then the kernel can not indicate that an
exec failed. It is also too slow.