Linus found 1 character security vulnerability in kernel

What was that story, I think I heard it on the Tek, where Linus found a change from:

if (user == administrator)

to

if (user = administrator)?

Is there an article with more details?

I seem to remember on the show you implied Linus found that change on his own copy of the source code. I want to know more details about the exact circumstances and what happened.

Yeah I would also like for someone with the right knowledge to explain what happened and what the circumstances where. Maybe @wendell could shed some light here?

I don't remember much about that story, but hopefully this helps.

When someone wants to contribute to the kernel they send a patch. Linus was reviewing submitted kernel patches (as usual) and he found this bug in one of them.

A bit of Linux background: Users in Linux are identified by a non-negative integer UID as well as their username, but it's mostly the number. The absolute administrator power on the machine belongs to the root user with UID 0.

Now about what the C code does:
variable = value means "set variable to value and returns the value of the variable"
variable == value returns whether variable equals value

So the code
if (user_id = 0) { .. some code .. }
Sets the user_id variable to 0, and then returns 0 to the if statement, which means that the if evaluates as false and the code doesn't run.

However the code
if (user_id == 0){ .. some code ..}
just checks whether the user_id variable already equals 0.

The caveat in this is that the first check whether the user is root would fail, but all other checks within that scope (syscall? function? I don't remember) would think that the user is root.
This effectively gives any user root privileges regarding the rest of that scope.

It is not known whether this was a mistake or someone was trying to push an exploit. I've also seen people use something akin to if (0 == user_id), because if (0 = user_id) results in compilation error as it is not possible to assign a constant.

https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/ I suppose Linus didn't find this one, but I remember seeing a talk that he had given which he mentioned this incident and was checking things "extra carefully" on his own, too. It was a lecture and I think the question that prompted this was about security and spying on unencrypted parts of the internet

Thanks