CVE-2017-18018: TOCTOU race in coreutils chown/chgrp/chmod -R via symlink swap

In GNU coreutils through 8.29, chown-core.c:change_file_owner and chmod.c:process_file are vulnerable to a TOCTOU race. They stat a file via FTS, gate on its type, then issue a path-based syscall (chownat at chown-core.c:438 / chmodat at chmod.c:273) that follows symlinks. An attacker controlling a directory under a recursive chown -R or chmod -R can swap a regular file with a symlink to /etc/shadow between the stat and the syscall, redirecting the privileged ownership/mode change to an arbitrary file. The fd-safe helper restricted_chown (chown-core.c:211-262) does openat+fstat+SAME_INODE+fchown but is bypassed by the early return at lines 222-223 unless --from=O:G is given.