No thread safety in libc
stat64() doesn't work properly
The server processes are included as part of the job with the client processes in the job. The server has the same process group ID, and the shell will wait for it. This is convenient (for printing the exit status), but wrong. If the user presses Ctrl-C, and the client handles SIGINT and survives, the server will still be killed, but the client will become mostly useless.
libc's object-based execve() ignores the close-on-exec flag
Shell: build-fs.c: If you have the command "cmd foo", and `foo' is a symlink, the symlink will be followed and the shell will also grant access to the destination of the link. If you have the command "cmd => foo", the symlink is not followed. This is inconsistent. Actually, I have realised that following the symlink is not good from a security point of view.