>> Which is what is accomplished, just in this case its by the kernel (where
>> security should be enforced) not by a library.
>
>I assume (hope!) that you are saying that the "fix" in the "kernel" is
>appropriate protection of the core file, not somehow mangling the contents
>of the core file to provide this protection.

Yes, it is by protecting the core file.

>> >What's the objection to clearing possibly-contaminated structures when a 
>> >program signifies its done with a privileged resource?
>> 
>> It causes any db client to pay this penalty regardless of what is stored
>> in the database.  That is bad design.
>
>Would it be possible to extend the db interface to have a "suicide call"
>that wiped itself clean?  Something that would not interfere with normal
>db functions, but instead act as an extension?

It shouldn't be necessary if you protect the core dump, ptrace, kmem, etc
paths of attacks.  What happens if you core dump in the library or before
you can call the "cleanup" routine?

--
Justin T. Gibbs
===========================================
  FreeBSD: Turning PCs into workstations
===========================================