this was noted in  issue 766275  by the reporter, but it looks like it was lost in the shuffle, so splitting out

to reproduce:
(1) create a symlink as a non-root user in a sticky dir (e.g. /tmp)
# sudo -u chronos ln -s / /tmp/foo

(2) try to deref that symlink as root and fail (good!)
# ls /tmp/foo/
ls: cannot access '/tmp/foo/': Permission denied

(3) try to deref that symlink further and pass (bad!)
# ls /tmp/foo/home/
chronos  root  user

 issue 766275  was able to exploit this because the /tmp usage had two levels of predictable names, so they symlinked the top level name to a non-sticky dir they controlled.