[prev] [thread] [next] [lurker] [Date index for 2006/12/27]
On 2006-12-26 at 21:20 -0600, Peter da Silva wrote: > No, the real question is why someone would write a compiled C program to do > more or less the same thing. > > Including things like: > > /* system("sleep 10"); */ > system("sleep 5"); > > You can tell exactly what the programmer was thinking from comments like that. It's been more than ten years, so I think that it's now safe to relate this; my fixed code, whilst crap, has replaced the older crap, surely everywhere. I was working for the company maintaining the interbank transaction settlement software for a Big Bank; if you know the names of just a few really big American banks, you know the name. This was the software which sends the odd half billion around every night so that the banks can pony up the differences. One of the clean-up programs, designed to run on highly-secure systems (keystroke loggers up the wazzoo, etc) was written in C because it was setuid root. It was basically a series of: system("rm fred/forgotten.ext"); *cough* This was for some software which led to my learning that DCE for Solaris, provided by Transarc, is fundamentally not able to compile code which attempts to be reliable. When your application framework is based around POSIX threads and you redeclare errno as an int, whilst the host OS redeclares errno to something like (*(___errno())) for threaded environments, you have a fundamental incompatibility. You want to build your DCE, thus threaded, application? You can't build with the compiler flags which make the code thread-safe. The reason the security hole came to light was because the software didn't include any shutdown RPC calls; the code used a signal handler for SIGTERM; but POSIX doesn't let you dictate which thread receives the signals and messing with any signal handling under DCE was a big nono. So unsurprisingly the transaction settlement framework couldn't be shutdown properly. So the original programmer had settled for making the shutdown command use SIGKILL. Hence restarting this software meant waiting 8 to 10 minutes of vaguely serious outage whilst some part of DCE's framework read through a rather large directory of stale state files. A one-time clean-up script, a shutdown call added to the various RPC interfaces, and a start-up cleanup script meant the bank had an outage of only about three seconds thereafter. -PhilThere's stuff above here
Generated at 22:02 on 27 Dec 2006 by mariachi 0.52