Protect against check-and-open race conditions
    
    There is a small window between running lstat() on a filename and
    opening it where it's possible for the file to have been modified.
    We were protecting against this by saving the stat data from the
    original file and verifying that it was the same file (by device
    and inode) when we opened it again, but this is an imperfect
    solution, as it is still possible for an attacker to modify the
    permissions during this window.
    
    It is much better to simply open the file and test on the active
    file descriptor.
    
    Resolves https://fedorahosted.org/sssd/ticket/425 incidentally, as
    without the initial lstat, we are implicitly accepting symlinks
    and only verifying the target file.