Well, yes, there was that embarrassing mile-wide hole in telnet (I haven’t used telnet in years except to debug Web protocols, but I guess someone must; seems to me anyone who leaves telnetd facing the Internet is exhibiting, uh, questionable judgment; but still.) Nasty security gotchas are nothing new in this world, but here’s something that is new: a first-hand report from the guy who got the call you don’t want to get, and then got the patch into the system. Actually, I don’t understand quite a bit of the jargon: “patch gate”, “RTI logging”, and so on; but it’s still a compelling story.
Contributions
Comment feed for ongoing:
From: Anonymous (Feb 12 2007, at 22:43)
Seems to me anyone who ships an operating system which defaults to leaving telnetd enabled is exhibiting, uh, questionable judgment; but still.
Seriously though, I agree that I can't understand why anyone would still run telnet, especially on the internet, and I hear newer releases of Solaris 10 are getting better about not making you do lots of work before you feel safe exposing a host to the internet. I liked the post you pointed to, but it seemed more about internal processes than real technical details -- still, I imagine that's to be expected with a one-line fix.
[link]
From: Dan Davies Brackett (Feb 13 2007, at 07:16)
I can fill in a bit of the jargon.
SSE: Service Support Engineer -- a Sun employee actually responsible for a customer site.
SCCS: The revision-control system the Solaris codebase uses.
IDR: Interim Development Relief -- an "unofficial" patch created by Sun's customer-facing organization that, while a good-faith effort to fix the problem you came to Sun with, (a) might not be the final solution and (b) hasn't passed QA, so comes with no compatibility/longevity/correctness guarantees.
Sun Alert: a newsflash that's sent out to people who subscribe to them that describes a high-priority issue and, potentially, any workarounds/resolutions that are available.
ISR: Interim Security Relief -- an IDR that's security-related, and therefore a bit more widely available.
"gate": a particular official version of the Solaris codebase that accumulates fixes and new development. Controlled by a Gatekeeper, who is responsible for the integrity of the gate and also merging that gate's changes with upstream gates. Gatekeepers feel very proprietary about their gates; they're a little like DBAs in that their primary responsibility is to the gate, not to any particular group. A "patch gate" is a gate that accumulates patches for a particular Solaris release. They're called Gates because at certain points, they close (usually while a new version is being built, or other similar changes are going on).
RTI: Request To Integrate -- a form that, once approved, allows an engineer to check code into a gate. For patch gates, where stability of the system is paramount, RTIs can be a significant hurdle; you have to have a really, really good case for change for the RTI to be granted.
Incidentally, the existence of all this process is one reason why it's taken so long for the OpenSolaris guys to take patches from people who aren't Sun employees. Right now, externally-sourced changes have to have an internal "sponsor" who has access to all of the behind-the-firewall tools and forms you need to fiddle with in order to force diffs on the codebase.
[link]