install TOCTOU symlink race: unlink-then-create without O_EXCL

## Component
`install`

## Description
The install utility unlinks the destination file, and then recreates it by pathname. 

The code never uses exclusive create semantics (O_EXCL/create_new). After deciding what to install, it reopens the destination by name, trusting that the unlinked path hasn't been replaced.

## Test / Reproduction Steps
```bash
# Terminal 1: privileged install loop
while true; do sudo install source.txt /tmp/attacker-writable/target; done

# Terminal 2: attacker racing to plant symlink
while true; do rm -f /tmp/attacker-writable/target; ln -s /etc/shadow /tmp/attacker-writable/target; done

# On success: /etc/shadow gets overwritten with source.txt contents
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

install TOCTOU symlink race: unlink-then-create without O_EXCL #10023

Component

Description

Test / Reproduction Steps

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

install TOCTOU symlink race: unlink-then-create without O_EXCL #10023

Description

Component

Description

Test / Reproduction Steps

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions