Writing

Software, technology, sysadmin war stories, and more. Feed
Tuesday, October 5, 2021

'date -d' vs. 'date -s', and 'show foo' vs. 'clear foo'

Here's something fun I saw which created an outage once. I've written about this before, but in light of yesterday's fun and games, I figured this one is worth another mention.

There was someone running around trying to do some work on a Linux box. They had picked up some time_t value from the logs - that is, the number of seconds since January 1, 1970 at midnight UTC that is typically thought of as "Unix time". Right now, it's about 1.6 billion, and will hit 1.7 billion in November 2023. They wanted to turn it back into a human-readable date.

One way to do this on a Linux box with the usual GNU userspace stuff is to feed it to date, like this:

$ date -d @1700000000
Tue Nov 14 14:13:20 PST 2023

The problem is, there's another command very much like it that will even spit out the same output, only it has a nice little side-effect: it also sets the clock. That command is date -s.

If you're on a QWERTY layout or are generally familiar with it, you might notice that [S] and [D] are right next to each other and are an easy typo to make with your left hand. That's one way to screw up.

Another problem is that you might not have known that -s has that effect, and you have been using it because it gives you the output you want, and you don't realize what else it can do.

Anyway, on this day, that person needed to translate a numeric count of seconds since the Unix epoch to a regular time string they could read, used the wrong command (off by ONE KEY POSITION), and *set the clock* to this wrong time.

This then touched off a whole bunch of badness which I already talked about before. It messed up other systems, and brought up questions of how to defend against it, and all of that other good stuff you'd expect to hear after a problem of that sort.

What's reminding me of it today is something I heard about yesterday's FB outage. I don't know exactly what went on inside there, or what happened to break everything, but I heard a rumor it was a command that was supposed to display everything, but instead it cleared everything.

That is, it might just be the difference between:

show mpls lsp

... and ...

clear mpls lsp

Of course, nobody's going to confirm or deny that, so we can only guess. But look at that: one command just lists a bunch of stuff, and the other one knocks them out!

Hopefully the similarity to 'date -d' vs. 'date -s' is clear.

Small commands can have giant consequences.