{{Short description|Type of software security vulnerability}} {{refimprove|date=August 2016}} A '''symlink race''' is a kind of software security vulnerability that results from a program creating files in an insecure manner.<ref>{{cite web|title=CAPEC-27: Leveraging Race Conditions via Symbolic Links|url=https://capec.mitre.org/data/definitions/27.html|publisher=CAPEC}}</ref> A malicious user can create a symbolic link to a file not otherwise accessible to them. When the privileged program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired by the malicious user (see example below), or even provided by the malicious user (as input to the program).
It is called a "race" because in its typical manifestation, the program checks to see if a file by that name already exists; if it does not exist, the program then creates the file. An attacker must create the link in the interval between the check and when the file is created.
A symlink race can happen with antivirus products that decide they will quarantine or delete a suspicious file, and then go ahead and do that. During the interval between decision and action, malicious software can replace the suspicious file with a system or antivirus file that the malicious software wants overwritten.<ref>{{Cite web|url=https://www.zdnet.com/article/symlink-race-bugs-discovered-in-28-antivirus-products/|title=Symlink race bugs discovered in 28 antivirus products|website=ZDNet|author=Catalin Cimpanu|date=April 24, 2020}}</ref>
==Example== In this naive example, the Unix program <code>foo</code> is <code>setuid</code>. Its function is to retrieve information for the accounts specified by the user. For "efficiency", it sorts the requested accounts into a temporary file (<code>/tmp/foo</code> naturally) before making the queries.
The directory <code>/tmp</code> is world-writable. Malicious user Mallory creates a symbolic link to the file <code>/root/.rhosts</code> named <code>/tmp/foo</code>. Then, Mallory invokes <code>foo</code> with <code>''user''</code> as the requested account. The program creates the (temporary) file <code>/tmp/foo</code> (really creating <code>/root/.rhosts</code>) and puts information about the requested account (e.g. <code>''user password''</code>) in it. It removes the temporary file (merely removing the symbolic link).
Now the <code>/root/.rhosts</code> contains password information, which (if it even happens to be in the proper format) is the incantation necessary to allow anyone to use <code>rlogin</code> to log into the computer as the superuser.
In some Unix-systems there is a special flag <code>O_NOFOLLOW</code> for <code>open(2)</code> to prevent opening a file via a symbolic-link (dangling or otherwise) and has become standardized in POSIX.1-2008.
==Workaround== The POSIX C standard library function <code>mkstemp</code> can be used to safely create temporary files. For shell scripts, the system utility {{man|1|mktemp|OpenBSD||inline}} does the same thing.
==References== {{Reflist}}
{{unix-stub}}
Category:Computer security exploits Category:Unix