What to do about nologin(8)?

[Peter Jeremy]

On Mon, Feb 23, 2004 at 05:45:07PM +0000, Colin Percival wrote:
>  I can see a number of possible options; I'd like to hear
>opinions on which would be the best.
...
8) Make nologin setgid to a suitably unprivileged group
   and rely on rtld(1) to ignore LD_LIBRARY path & friends.
   (setgid is less unsafe than setuid)
   Pro: nologin remains dynamically linked in /sbin (avoiding
        POLA breakage)
   Con: Introduces an "unnecessary" setgid program

Peter