recovery: add O_NOFOLLOW|O_EXCL to prevent symlink-following in recovery file creation

WriteRecoveryInstructions() opens the recovery README with os.OpenFile
using O_WRONLY|O_CREATE without O_NOFOLLOW. When fscrypt encrypt runs
as root, this allows a local attacker to place a symlink at the recovery
file path, causing root to write through the symlink and then fchown the
target file to the attacker. Adding O_EXCL|O_NOFOLLOW aligns with the
existing security pattern in filesystem.go:608 and filesystem.go:747.

0 files changed, 0 insertions, 0 deletions