Colin Phipps found an interesting symlink attack problem
in fsh (a tool to quickly run remote commands over rsh/ssh/lsh). When fshd
starts it creates a directory in /tmp to hold its sockets. It tries to do that
securely by checking if it can chown that directory if it already exists to
check if it is owned by the user invoking it. However an attacker can
circumvent this check by inserting a symlink to a file that is owned by the
user who runs fshd and replacing that with a directory just before fshd creates
the socket.
