looking glass security on OpenBSD, the httpd (an apache 1.3 variant, tho over 40000 lines diff to their last free version, with countless security fixes they never bought back) runs in a chroot jail by default. the readonly socket can be placed inside that jail bgpd_flags="-r /var/www/bgpd.rsock" in rc.conf.local put a statically linked bgpctl binary in the chroot /path/to/bgpctl -s /bgpd.rsock $commands looking glass running in a chroot jail as user www, no permissions