User can create the hard link for a file not owned by him. ptrace() can be attached to suid process, signals may be passed to any process, buffer overflows and privelege escalations in many utilities.
vulners.com/securityvulns/securityvulns:doc:3018
vulners.com/securityvulns/securityvulns:doc:3026
vulners.com/securityvulns/securityvulns:doc:3071