[prev] [thread] [next] [lurker] [Date index for 2006/12/27]
On 2006-12-26 at 21:20 -0600, Peter da Silva wrote:
> No, the real question is why someone would write a compiled C program to do
> more or less the same thing.
>
> Including things like:
>
> /* system("sleep 10"); */
> system("sleep 5");
>
> You can tell exactly what the programmer was thinking from comments like that.
It's been more than ten years, so I think that it's now safe to relate
this; my fixed code, whilst crap, has replaced the older crap, surely
everywhere.
I was working for the company maintaining the interbank transaction
settlement software for a Big Bank; if you know the names of just a few
really big American banks, you know the name. This was the software
which sends the odd half billion around every night so that the banks
can pony up the differences.
One of the clean-up programs, designed to run on highly-secure systems
(keystroke loggers up the wazzoo, etc) was written in C because it was
setuid root. It was basically a series of:
system("rm fred/forgotten.ext");
*cough*
This was for some software which led to my learning that DCE for
Solaris, provided by Transarc, is fundamentally not able to compile code
which attempts to be reliable. When your application framework is based
around POSIX threads and you redeclare errno as an int, whilst the host
OS redeclares errno to something like (*(___errno())) for threaded
environments, you have a fundamental incompatibility. You want to build
your DCE, thus threaded, application? You can't build with the compiler
flags which make the code thread-safe.
The reason the security hole came to light was because the software
didn't include any shutdown RPC calls; the code used a signal handler
for SIGTERM; but POSIX doesn't let you dictate which thread receives the
signals and messing with any signal handling under DCE was a big nono.
So unsurprisingly the transaction settlement framework couldn't be
shutdown properly. So the original programmer had settled for making
the shutdown command use SIGKILL. Hence restarting this software meant
waiting 8 to 10 minutes of vaguely serious outage whilst some part of
DCE's framework read through a rather large directory of stale state
files.
A one-time clean-up script, a shutdown call added to the various RPC
interfaces, and a start-up cleanup script meant the bank had an outage
of only about three seconds thereafter.
-Phil
There's stuff above here
Generated at 22:02 on 27 Dec 2006 by mariachi 0.52