Index: usr.bin/xinstall/xinstall.c
===================================================================
--- usr.bin/xinstall/xinstall.c
+++ usr.bin/xinstall/xinstall.c
@@ -782,12 +782,12 @@
 	/* Only copy safe if the target exists. */
 	tempcopy = safecopy && target;
 
-	if (!devnull && (from_fd = open(from_name, O_RDONLY, 0)) < 0)
+	if (!devnull && (from_fd = open(from_name, O_RDONLY|O_NOFOLLOW, 0)) < 0)
 		err(EX_OSERR, "%s", from_name);
 
 	/* If we don't strip, we can compare first. */
 	if (docompare && !dostrip && target) {
-		if ((to_fd = open(to_name, O_RDONLY, 0)) < 0)
+		if ((to_fd = open(to_name, O_RDONLY|O_NOFOLLOW, 0)) < 0)
 			err(EX_OSERR, "%s", to_name);
 		if (devnull)
 			files_match = to_sb.st_size == 0;
@@ -830,7 +830,8 @@
 		 * that does not work in-place -- like GNU binutils strip.
 		 */
 		close(to_fd);
-		to_fd = open(tempcopy ? tempfile : to_name, O_RDONLY, 0);
+		to_fd = open(tempcopy ? tempfile : to_name,
+		    O_RDONLY|O_NOFOLLOW, 0);
 		if (to_fd < 0)
 			err(EX_OSERR, "stripping %s", to_name);
 	}
@@ -842,7 +843,7 @@
 		temp_fd = to_fd;
 
 		/* Re-open to_fd using the real target name. */
-		if ((to_fd = open(to_name, O_RDONLY, 0)) < 0)
+		if ((to_fd = open(to_name, O_RDONLY|O_NOFOLLOW, 0)) < 0)
 			err(EX_OSERR, "%s", to_name);
 
 		if (fstat(temp_fd, &temp_sb)) {
@@ -914,7 +915,7 @@
 
 		/* Re-open to_fd so we aren't hosed by the rename(2). */
 		(void) close(to_fd);
-		if ((to_fd = open(to_name, O_RDONLY, 0)) < 0)
+		if ((to_fd = open(to_name, O_RDONLY|O_NOFOLLOW, 0)) < 0)
 			err(EX_OSERR, "%s", to_name);
 	}
 
@@ -1136,7 +1137,8 @@
 				saved_errno = errno;
 	}
 
-	newfd = open(path, O_CREAT | O_RDWR | O_TRUNC, S_IRUSR | S_IWUSR);
+	newfd = open(path, O_CREAT | O_RDWR | O_TRUNC | O_NOFOLLOW,
+	    S_IRUSR | S_IWUSR);
 	if (newfd < 0 && saved_errno != 0)
 		errno = saved_errno;
 	return newfd;