You are correct; I was already in the process of sending mail
apologizing for not thinking of deferred disabling of symlinks.  I had
thought I had thought things through carefully, but I guess not.  (I
also didn't see your example.)

So, while modifying the kernel is not strictly necessary to get around
this security hole, you can certainly do it without removing existing
functionality.  Sorry for being alarmist.

[In reference to having more directory levels than file descriptors.]
> So even if you were willing to go to the trouble of doing the
> filesystem walk with fchdir(), the code complexity would quickly get
> - in my opinion - unmanageable.

The code would probably be encapsulated in the fts_*() calls,
dependent on some option, so even if it were difficult, it would
probably be manageable.  I admit that I haven't tried out an
implementation yet or thought through all of the consequences, but if
you use chdir("..") instead of holding onto a file descriptor to all
of the parent directories, I don't think you need to use more than one
file descriptor at a time.