A symlink race is a kind of
software security vulnerability
Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...
that results from a program creating
files in an insecure manner. A malicious user can create a
symbolic link
In computing, a symbolic link (also symlink or soft link) is a file whose purpose is to point to a file or directory (called the "target") by specifying a path thereto.
Symbolic links are supported by POSIX and by most Unix-like operating system ...
to a file not otherwise accessible to them. When the
privileged program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired by the malicious user (see example below), or even provided by the malicious user (as input to the program).
It is called a "
race
Race, RACE or "The Race" may refer to:
* Race (biology), an informal taxonomic classification within a species, generally within a sub-species
* Race (human categorization), classification of humans into groups based on physical traits, and/or s ...
" because in its typical manifestation, the program checks to see if a file by that name already exists; if it does not exist, the program then creates the file. An attacker must create the link in the
interval between the check and when the file is created.
A symlink race can happen with
antivirus
Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware.
Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...
products that decide they will quarantine or delete a suspicious file, and then go ahead and do that. During the interval between decision and action, malicious software can replace the suspicious file with a system or antivirus file that the malicious software wants overwritten.
Example
In this naive example, the
Unix
Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...
program
foo
is
setuid
The Unix
Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Rit ...
. Its function is to retrieve information for the
accounts specified by the user. For "efficiency", it sorts the requested accounts into a temporary file (
/tmp/foo
naturally) before making the queries.
The directory
/tmp
is world-writable. Malicious user Mallory creates a symbolic link to the file
/root/.rhosts
named
/tmp/foo
. Then, Mallory invokes
foo
with
''user''
as the requested account. The program creates the (temporary) file
/tmp/foo
(really creating
/root/.rhosts
) and puts information about the requested account (e.g.
''user password''
) in it. It removes the temporary file (merely removing the symbolic link).
Now the
/root/.rhosts
contains password information, which (if it even happens to be in the proper format) is the incantation necessary to allow anyone to use
rlogin
The Berkeley r-commands are a suite of computer programs designed to enable users of one Unix system to log in or issue commands to another Unix computer via TCP/IP computer network. The r-commands were developed in 1982 by the Computer Systems ...
to log into the computer as the
superuser
In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of t ...
.
Also in some Unix-systems there is a special flag
O_NOFOLLOW
for
open(2)
to prevent opening a file via a symbolic-link (dangling or otherwise). It's become standardized in
POSIX.1-2008
The Portable Operating System Interface (POSIX) is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines both the system- and user-level application programming inter ...
.
Workaround
The
POSIX
The Portable Operating System Interface (POSIX) is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines both the system- and user-level application programming interf ...
C standard library
The C standard library or libc is the standard library for the C programming language, as specified in the ISO C standard.ISO/IEC (2018). '' ISO/IEC 9899:2018(E): Programming Languages - C ยง7'' Starting from the original ANSI C standard, it wa ...
function
mkstemp
In computing, mkstemp is a POSIX function for creating a temporary file (a computer file which usually ceases to exist when the program, which opened the file, closes it or terminates). It accepts an argument that determines the location of the t ...
can be used to safely create temporary files. For shell scripts, the system utility does the same thing.
References
{{unix-stub
Computer security exploits
Unix