>Karl Denninger <karl@Mcs.Net> writes:
>
>> If there was a separate "destroy-data" call, that would be ok.  But there
>> isn't, and as such the ONLY way to have any security in these dbm routines
>> is to have the system enforce it.
>
>   Adding the call seems easy enough, and seems the most elegant solution.

   It doesn't solve the real problem. The problem is that applications that
were privileged might read sensitive data and store it internally. The dbm
routines are only one instance of the "store internally" problem. There are
countless other cases where similar things could happen...even temporary
garbage on the stack can be a problem.
   The ONLY solution is to not allow coredumps of processes that might contain
sensitive data. The change that was made to hash_buf.c should be backed out
and attempts should be made to ensure that the coredump won't happen in cases
where sensitive data may be a problem.

-DG

David Greenman
Core-team/Principal Architect, The FreeBSD Project