Race condition in chown_one() in systemd allows an attacker to arbitrarily change permission of files. In some situations, systemd needs to recursively change ownership of files. In the case when the file is not a link, it needs to re-set the file mode because it can be changed by the operating system. Due to the racy behaviour of the function, an attacker can bypass the check and change the mode of any file in the system.