``Use the Source, Luke!''  :-)

>If we turn on the SUGID bit as soon as a root process does a
>setXXid() call

I was the one who added the SUGID bit (back when it was SSUGID
rather than P_SUGID), when Craig Leres and I were putting Van
Jacobson's ptrace attach in.  We needed something that would get
set and stay set any time a process had or changed any privileges,
until it exec'ed some other program.  The exec wipes memory, and
by that time it should have closed any `sensitive' file descriptors.
I was actually not worried as much about memory contents as about
attaching to a previously-root process that had some important file
open read/write -- you could use ptrace to zap new code into it,
then write arbitrary new contents.  This included processes that
started life as root and then became someone else, so P_SUGID is
set for *all* privilege-changing operations, even setgroups().

I did not think to apply it to core dumps at that time, but it
is the correct bit to use.  We (BSDI) have switched over to
testing P_SUGID recently as well.

Chris