rename does not fail when the target file is open, so that sequence of events would not cause this problem to arise in practice. I don't understand the explanation for why you would open krb5.conf with O_NOLINKS. Profiles are read out of well-controlled paths like /etc/krb5.conf or /var/krb5kdc/kdc.conf, not uncontrolled paths under /tmp. There is no way an attacker could redirect someone to the wrong file.