Um, turns out there's a local root exploit in the linux kernel versions 2.6.17 to 2.6.24.1. I just tried it on my machines - yeah, it works. Read the slashdot discussion here [it.slashdot.org] and see the proof of concept code here [milw0rm.com].

Still reading about it now. This is huge. Hold me.

Never posted back about this did I? Oops. Well, here's a fix that should apply to most any vulnerable kernel. The affected file is fs/splice.c: