From f474c0c8fda85d0653756fb0dccc19b038067783 Mon Sep 17 00:00:00 2001
From: matthew-pilot <matthew@vulturelabs.io>
Date: Sat, 30 May 2026 04:26:20 +0000
Subject: [PATCH] fix: add -n flag to ln -sf in install.sh to prevent symlink
 TOCTOU (PILOT-271)

The writable-check then ln -sf in install.sh:342-349 is non-atomic.
Without -n (--no-dereference), if an attacker races between the check
and the ln call to replace the destination path with a symlink to a
directory, ln would follow it and create the link inside that
directory instead of replacing it. Adding -n makes ln treat the
destination as a non-directory, preventing symlink dereference.

Fixes: PILOT-271
---
 install.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/install.sh b/install.sh
index f3b558fa..81c34719 100755
--- a/install.sh
+++ b/install.sh
@@ -340,10 +340,10 @@ chmod 755 "$BIN_DIR/pilot-daemon" "$BIN_DIR/pilotctl" "$BIN_DIR/pilot-gateway"
 
 LINK_DIR="/usr/local/bin"
 if [ -d "$LINK_DIR" ] && [ -w "$LINK_DIR" ]; then
-    ln -sf "$BIN_DIR/pilot-daemon" "$LINK_DIR/pilot-daemon"
-    ln -sf "$BIN_DIR/pilotctl" "$LINK_DIR/pilotctl"
-    ln -sf "$BIN_DIR/pilot-gateway" "$LINK_DIR/pilot-gateway"
-    [ -f "$BIN_DIR/pilot-updater" ] && ln -sf "$BIN_DIR/pilot-updater" "$LINK_DIR/pilot-updater"
+    ln -sfn "$BIN_DIR/pilot-daemon" "$LINK_DIR/pilot-daemon"
+    ln -sfn "$BIN_DIR/pilotctl" "$LINK_DIR/pilotctl"
+    ln -sfn "$BIN_DIR/pilot-gateway" "$LINK_DIR/pilot-gateway"
+    [ -f "$BIN_DIR/pilot-updater" ] && ln -sfn "$BIN_DIR/pilot-updater" "$LINK_DIR/pilot-updater"
     echo "  Symlinked to ${LINK_DIR}"
 fi