On Sat, 03 May 2003 13:19:52 -0000, linux@horizon.com  said:

> An interesting question arises: is the number of useful interpreter
> functions (system, popen, exec*) sufficiently low that they could be
> removed from libc.so entirely and only staticly linked, so processes
> that didn't use them wouldn't even have them in their address space,
> and ones that did would have them at less predictible addresses?
> 
> Right now, I'm thinking only of functions that end up calling execve();
> are there any other sufficiently powerful interpreters hiding in common
> system libraries?  regexec()?

This does absolutely nothing to stop an exploit from providing its own
inline version of execve().  There's nothing in libc that a process can't
do itself, inline.

A better bet is using an LSM module that prohibits exec() calls from any
unauthorized combinations of running program/user/etc.