> As df will no longer work for non-root users, we recommend removing
> the execute permissions for them also.
this is false. without the setuid bit, df works just fine for
non-root users (at least under 6.2). the only effect is that the
little-used and expensive '-f' option (which forces df to scan the
free block list and hence requires access to the device) won't work.
there's no good reason to take away execute permission from df, unless
your users are likely to be extremely confused by the lack of the '-f'
option.
dk