The following root$-$owned Set$-$UID program needs to write to a file, but it wants to

Race Condition Vulnerability $3$

ensure that the file is owned by the user. It uses fstat$()$ to get the file owner$$s ID$,$ and

compares it with the real user ID of the process. If they do not match, the program will

exit. Please describe whether there is a race condition in the program? If so$,$ please explain how you can exploit the race condition. The manual of fstat$()$ and fileno$()$

can be found online.

#include

#include

#include

#include

int main$()$

$\{$

struct stat statbuf;

uid$\_$t real$\_$uid;

FILE$*$ fp;

fp $=$ fopen$("/$tmp$/$XYZ$","$a$+")$;

fstat$($fileno$($fp$),$ &statbuf$)$;

printf$("$The file owner$$s user ID: $\%$d

$",$ statbuf.st$\_$uid$)$;

printf$("$The process$$s real user ID: $\%$d

$",$ getuid$())$;

$//$ Check whether the file belongs to the user

if $($statbuf$.$st$\_$uid $==$ getuid$())\{$

printf$("$IDs match, continue to write to the file.

$")$;

$//$ write to the file $...$

if $($fp$)$ fclose$($fp$)$;

$\}$ else $\{$

printf$("$IDs do not match, exit.

$")$;

if $($fp$)$ fclose$($fp$)$;

return $-1$;

$\}$

return $0$;

$\}$