BSD 2.9 (maybe 4.1) had this problem also, in that case the link count
was stored in a u_char, I think. (you needed to fork something line 23
processes or something to do it since the per process file descriptor
table size was significantly smaller then the file's link counter).
It was possible to hack root by opening a file in the / (root)
filesystem till the that files link count was 0 (and thus it was
added to the freelist). Next you would change your password or
finger/gecos info a few times till "your" inode was reallocated
and used for the password file thus leaving you a open file descriptor
to the password file.
Since I do not run Linux I can not test to see if you can do this under Linux
I have some *old* exploit code for this at home on a disconnected
system but since I am on the road I can get to it. I try to remember to
send it to rootshell.com when I get home.
-Pete