When including the listing of a directory in root's security mail, pass the
-q flag to ls(1) so that non-printable characters will appear as '?'. This
prevents a malicious user from fooling the administrator into thinking the
contents of a file name are actually valid script output (note that you can
put newlines in file names); deraadt@ ok