You'd have to make *ALL* setuid programs readonly by root. Otherwise it would be too easy to get the cookie.
Warner