Since no one else wants to comment, here goes. Sorry if it sounds like I'm picking on you, I'm actually very happy to see someone else looking at this problem from a different perspective :-)

11 is actually FILEUTILS_FORCE | FILEUTILS_DEREFERENCE | FILEUTILS_PRESERVE_STATUS, one of which is lost in translation above ;-) Why not use symbolic constants here? The code would be self-documenting, and also protected against future flag changes.

If /tmp isn't there you've got bigger problems, I would just log something to stderr and proceed with no history. Besides, a) a non-root shell wouldn't be able to create it anyway, b) the return value of bb_make_directory() is ignored, and c) the mode might be inappropriate if CONFIG_ASH_HIST_BUFFER_PATH points to a different place.

That's a predictable filename in a world-writable dir again. To illustrate, imagine that one of your "mates" grabs your N900 when you're not looking (and before you've had a chance to run a root shell after a reboot) and types something like "ln -s /etc/passwd /tmp/.ash_hist_root". Now imagine what happens next time you start a root shell.

I missed this last time, why not just use creat(2)? Come to think of it, there's no need to create storedhistory at this point, you could just creat() tmphistory directly and skip the copy - one write less :-)

This will have race conditions no matter what checks you do here, so best to just use a private per-user path as in the earlier version. Also, same comment on 11 as above.