A correction about the ld-linux.so workaround
I have a correction to make to yesterday's post about mod_php and Apache. Unfortunately, it's not good news about the root problem which is all of those file descriptors being inherited. It's about the mention of using ld-linux.so to run something from a filesystem mounted noexec.
Thanks to quick feedback from Matt, I now know that strategy is no longer valid unless you are running a relatively old kernel. From the mount man page:
noexec Do not allow direct execution of any binaries on the mounted file system. (Until recently it was possible to run binaries anyway using a command like /lib/ld*.so /mnt/binary. This trick fails since Linux 2.4.25 / 2.6.0.)
So there it is. One part of my tale is now obsolete. Thanks for the tip, Matt!
It's too bad that the rest of it is still chillingly valid.