[jwilk]

All the attacker has to do is:

  touch /tmp/pubkey.pem
  chmod a+w /tmp/pubkey.pem

before the victim runs the code.

No sticky bit, no restrictive umask, also no protected_hardlinks/protected_symlinks is going to save you.