[stareatgoats]

Was this a backdoor or not? Following the comments on the article and previous posts here on HN it seems the jury is out AFAICS.

The crucial question to me seems to be if this condition:

    options == (__WCLONE|__WALL) 

can be willfully introduced by a bad actor, and otherwise never really occur. Unfortunately I don't know this (not familiar with Linux development) but herein lies the answer it would seem.

[hyperman1]

Following the man pages:

wait4's man page points to waitpid for details, and notes wait4 is deprecated in favor of waitpid.

So see the linux notes of this: https://man7.org/linux/man-pages/man2/waitpid.2.html

  The following Linux-specific options [..] can also, since Linux 4.7, be used with waitid():
  __WCLONE  [...] This option is ignored if __WALL is also specified.
  __WALL

So to trigger this:

* You have to call a deprecated function

* With a flag that was at that time illegal (linux < 4.7)

* And a second illegal flag that is cancelled out by the first illegal flag.

This is something any userspace process can do, but no sane process should ever do.

[stareatgoats]

Ok thanks, that clinches it I think!

[speedgoose]

Definitely a door for a local privilege escalation. But since it's so obvious, we may call it a second front door.