install: prevent TOCTOU race attack

[Dolphindalt]

Description

See #10023 for details on the vulnerability and how to test/reproduce.

This PR fixes the vulnerability by using atomic exclusive creation with the O_EXCL flag.

• create_new() ensures the file is created atomically
• Fails if anything exists at the path (including symlinks)
• Prevents following symlinks, even if created during the race window

Testing

• All existing install tests pass
• Added test_install_replaces_symlink() to verify install doesn't follow symlinks
• Ran manual test as described in install TOCTOU symlink race: unlink-then-create without O_EXCL #10023 (could this be incorporated into the test suite somehow?)

[github-actions]

GNU testsuite comparison:

Skipping an intermittent issue tests/timeout/timeout (passes in this run but fails in the 'main' branch)

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/timeout/timeout (fails in this run but passes in the 'main' branch)

[Dolphindalt]

I suspect that the failure is a flaky test as it is unrelated to the changes. I pulled in the latest changes from main just in case.

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/tty/tty-eof. tests/tty/tty-eof is passing on 'main'. Maybe you have to rebase?

[codspeed-hq]

CodSpeed Performance Report

Merging #10067 will not alter performance

_{Comparing Dolphindalt:main (ba34629) with main (adebe06)}

Summary

✅ 139 untouched
⏩ 37 skipped¹

Footnotes

1. 37 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩