...
This sample implementation of a the function secure_dir() function ensures that path the directory fullpath and all directories above it are owned by either the user or the superuser , that path does and that other users do not have write access for any other users, and that directories above path may not be deleted or renamed by any other usersto the directories. When checking directories, it is important to traverse from the root to the leaf to avoid a dangerous race condition where an attacker who has privileges to at least one of the directories can rename and recreate a directory after the privilege verification.
The path name passed to this function must be absolute, but it does not need to be canonical. (See recommendation fullpath need not be canonicalized (See FIO02-C. Canonicalize path names originating from untrusted sources). ) If the path contains a symbolic link, this routine will recursively invoke itself on the linked-to directory and ensure it is also secure. A symlinked symbolically-linked directory may be secure if both its source and linked-to directory are secure. The function checks every directory in the canonical path, ensuring that every directory is owned by the current user or by root, that the leaf directory disallows write access to everyone but the owner, and that all other directories in the path forbid other users from deleting or renaming files (either by turning off group write access and world write access).
Note that this function is only effective on filesystems that are fully compatible with UNIX permissions, and it may not behave normally for filesystems with other permission mechanisms, such as AFS.
...