...
Because of the potential for race conditions and the inherent accessibility of shared directories by untrusted users, files must be operated on only by secure paths. Because A secure path is a directory that cannot be moved or deleted by untrusted users. Furthermore, its parent path must also be secure, as well as the grandparent path, and so on, up to the root. Furthermore, if the path includes any symbolic links, both the link's target path and the path containing the link, must be secure paths. Because programs may run with reduced privileges and lack the facilities to construct a secure path, a program may need to abort if it determines that a given path is not secure.
...