Quoting from RedHat bug at $URL: In kernel versions beginning with 2.6.15 and including 2.6.24-rc7, it is possible for unprivileged local users to truncate any directory for which they have write permission. This renders all the contents of the directory inaccessible. It is then possible (given appropriate privileges) to remove the apparently empty directory. This can orphan inodes that had their only link from that directory. This issue description from LKML: <cite> Way back when (in commit 834f2a4a1554dc5b2598038b3fe8703defcbe467, aka "VFS: Allow the filesystem to return a full file pointer on open intent" to be exact), Trond changed the open logic to keep track of the original flags to a file open, in order to pass down the the intent of a dentry lookup to the low-level filesystem. However, when doing that reorganization, it changed the meaning of namei_flags, and thus inadvertently changed the test of access mode for directories (and RO filesystem) to use the wrong flag. So fix those test back to use access mode ("acc_mode") rather than the open flag ("flag"). Issue noticed by Bill Roman at Datalight. </cite> There is also patch provided together with this issue: patch 974a9f0b47da74e28f68b9c8645c3786aa5ace1a in mainline
[linux < 2.6.16.59] fb7a7420ea718a6504e5c620ada0e42b23446b27 [linux >= 2.6.17 < 2.6.22.16] 53d06121542c36ec0f0e5504c8358a768e25cb9a [linux >= 2.6.23 < 2.6.23.14] 3093d39c9361dae001efaea9279b0b23e38f049c [gp < 2.6.23-7]