A symlink race is a kind of software security vulnerability that results from a program creating files in an insecure manner. A malicious user can create a symbolic link to a file not otherwise accessible to them. When the privileged program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired by the malicious user (see example below), or even provided by the malicious user (as input to the program).
It is called a "race" because in its typical manifestation, the program checks to see if a file by that name already exists; if it does not exist, the program then creates the file. An attacker must create the link in the interval between the check and when the file is created.
A symlink race can happen with antivirus products that decide they will quarantine or delete a suspicious file, and then go ahead and do that. During the interval between decision and action, malicious software can replace the suspicious file with a system or antivirus file that the malicious software wants overwritten.
In this naive example, the Unix program <code>foo</code> is <code>setuid</code>. Its function is to retrieve information for the accounts specified by the user. For "efficiency", it sorts the requested accounts into a temporary file (<code>/tmp/foo</code> naturally) before making the queries.
The directory <code>/tmp</code> is world-writable. Malicious user Mallory creates a symbolic link to the file <code>/root/.rhosts</code> named <code>/tmp/foo</code>. Then, Mallory invokes <code>foo</code> with <code>user</code> as the requested account. The program creates the (temporary) file <code>/tmp/foo</code> (really creating <code>/root/.rhosts</code>) and puts information about the requested account (e.g. <code>user password</code>) in it. It removes the temporary file (merely removing the symbolic link).
Now the <code>/root/.rhosts</code> contains password information, which (if it even happens to be in the proper format) is the incantation necessary to allow anyone to use <code>rlogin</code> to log into the computer as the superuser.
In some Unix-systems there is a special flag <code>O_NOFOLLOW</code> for <code>open(2)</code> to prevent opening a file via a symbolic-link (dangling or otherwise) and has become standardized in POSIX.1-2008.
The POSIX C standard library function <code>mkstemp</code> can be used to safely create temporary files. For shell scripts, the system utility does the same thing.