Symlinks (symbolic links) point to an arbitrary file or directory. Writing to a symlink means writing to the final destination - perhaps without the writer knowing about the delegation. The symlink delegation mechanism is supposed to be transparent. Programs using symlinks need to do special things to recognize that a file is not a file but a symlink. Shells provide special syntax e.g. to not follow symlinks. System calls provide special parameters (O_NOFOLLOW) to avoid following symlinks automatically.
01 #!/bin/sh 02 for in in `find . -name "*.txt"` ; do 03 tr "A-Z" "a-z" <$i > /tmp/unsafe.tmp 04 mv /tmp/unsafe.tmp $i 05 done
(script taken from linux magazin 04/05, see resources).
By using a default filename this script creates the opportunity for an attacker to place such a file into the directory in advance. If this file is a symlink the user executing the script will overwrite whatever file the entry of the symlink really points to. If the user is root, any file can be overwritten (not to forget: the original file is also destroyed)