Symlink race
This article needs additional citations for verification. (August 2016) |
A symlink race is a kind of
It is called a "race" because in its typical manifestation, the program checks to see if a file by that name already exists; if it does not exist, the program then creates the file. An attacker must create the link in the interval between the check and when the file is created.
A symlink race can happen with
Example
In this naive example, the
/tmp/foo
naturally) before making the queries.
The directory /tmp
is world-writable. Malicious user Mallory creates a symbolic link to the file /root/.rhosts
named /tmp/foo
. Then, Mallory invokes foo
with user
as the requested account. The program creates the (temporary) file /tmp/foo
(really creating /root/.rhosts
) and puts information about the requested account (e.g. user password
) in it. It removes the temporary file (merely removing the symbolic link).
Now the /root/.rhosts
contains password information, which (if it even happens to be in the proper format) is the incantation necessary to allow anyone to use
Also in some Unix-systems there is a special flag O_NOFOLLOW
for open(2)
to prevent opening a file via a symbolic-link (dangling or otherwise). It's become standardized in POSIX.1-2008.
Workaround
The POSIX C standard library function mkstemp
can be used to safely create temporary files. For shell scripts, the system utility does the same thing.