In the section "5.2 Isolating single-source transformations" Dan shows how to safely
sandbox(*) a program which does a data transformation (jpegtopnm for example) so that it can
only perform a data transformation. He says: "Existing UNIX tools make this sandbox tolerably
easy for root to create". Which is true. What he doesn't say is that existing UNIX tools don't
allow non-root accounts to create such a safe space. That greatly limits the usefulness of
those particular techniques - but also could imply a program of future OS development. Why
shouldn't an unprivileged process be able to chdir and chroot to an empty directory?
*) The procedure might be flawed however. I notice that step one sets RLIMIT_NOFILES to zero.
The OpenGroup says that setting zero will produce undefined behaviour