Quiz Entry - updated: 2026.06.23
Describe the 2003 Linux kernel backdoor attempt and what security control prevented it.
A one-character backdoor (= instead of ==) that silently granted root; it was caught because the source control tracked change provenance and the sneaky commit lacked it.
It was a single-character change (= instead of ==) that would have granted root privileges to any process.
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
The trick: uid = 0 is an assignment (not comparison uid == 0). This would silently grant root privileges to any process calling wait4() with specific options.
Why it failed:
- Inserted into CVS mirror, not the main BitKeeper repository
- BitKeeper required approval records for code changes
- The CVS commit lacked this metadata → discrepancy noticed during verification
Lessons:
- Use source control that tracks provenance of changes
- Code review should catch
=vs==errors - Compilers can warn about assignments in conditionals (
-Wall) - Even subtle one-character changes can be catastrophic