Where is the bug?

Here is a simple proggy, and your mission is to find out the bug, and how someone could exploit it.





proggy.c

#include stdio.h
#include fcntl.h

int main(int argc, char* argv[])
{
FILE *fd;

void writing_pass_to_file(){
fd=fopen("/tmp/test","w");
fprintf(fd,argv[1]);
fclose(fd);
}

writing_pass_to_file();
sleep(5);


void some_crypting_here()
{
fd=fopen("/tmp/test","r");
printf("Doing some crypting now..\n");
sleep(5);
fclose(fd);
printf("Crypting done.\n");
}

some_crypting_here();

system("rm /tmp/test");
return 0;
}

About the proggy, let's say that in real world would be a piece of code responsable for some user/password management...It takes the password from command line and does some stuff with it like crypting...
What happens when the program is run in superuser mode?(In Linux)
I will post the simple solution later, when it will be enough responses.


Well, it seems that Vhaerun figured it out: http://rstzone.org/forum/where-is-the-bug-t10502.rst

Yes, you can exploit this using the ln command to create a link to the password file. One trick is to use the -f option (see man ln for more information), to "force" the removing of the destination file.

ln -f /tmp/test /tmp/test2

In my testings, the -s option, is not so usefull, because the removing action of the file, alters the link.