Race conditions are a common problem in operating system protection mechanisms. An easy example involves a Time-of-check to Time of Use (TOCTOU) race based on Unix symbolic links, which contain a path that is resolved at access time. For example, the UNIX print utility lpr runs setuid root and has the ability to read any file on the system and send it to the printer an operation that requires root privileges. To prevent a user from printing a file she doesnt own, it checks the ownership of a file before printing it:

if (access(argv[1], R OK) != 0)

exit(1);

fd = open(argv[1], O RDONLY);

send_to_printer(fd)

a. Explain how a user can use two programs in combination with symbolic links to get lpr to print a file to which the user does not have permission to open.

b. To actually mount a practical attack, timing is critical. The attacker must make sure the second program is able to run exactly between the two system calls in the above code. How can the attacker guarantee this?