tech-userlevel: Re: cvs commit: src/lib/libc/db/hash hash

Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c
To: Guido van Rooij <guido@gvr.win.tue.nl>
From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= <ache@nagual.ru>
List: tech-userlevel
Date: 10/18/1996 01:57:34

> > 
> > bzero'ing a hash buffer is not a complete solution to the problem,
> > since the process may contain other potentially sensitive data
> > in its address space.  What you really want to do is protect
> > the cores.
> > 

I consider it as a bad move too and performance degradation.
Why only DB? Why you don't automatically clear stack too? :-)

Passwords can be stored anywhere in the application,
and it is per-application task to clear sensetive data anywhere.

Please, back out this change.

> And what about a user attaching a debugger to a running ftpd...

He must be root for that.

-- 
Andrey A. Chernov
<ache@nagual.ru>
http://www.nagual.ru/~ache/