This was only an issue when syncing files to directories where other
users have write access to the parent directory. For example when
copying files to /home/user/.ssh/authorized_keys the user could replace
.ssh with a symlink which permitted overwriting authorized_keys anywhere
on the system.
Fix possible attacks by using *at syscalls and disallowing symlinks in
all path components except for the last of synced paths. Syncing
symlinks is obviously still permitted.