In Linux, every process holds its own file descriptor table, which keeps references to all opened files and file-like devices. This table is managed by the kernel.
Is it possible that a non-privileged user modifies a file descriptor in the file descriptor table of an elevated process so that the file descriptor points to another file?
A Practical Example
Process 1000 runs as root and reads continuously from FD 0 (stdin) to FD 1 (stdout). Process 1001 runs as eve and wants to modify the file descriptor table of PID 1000 so that FD 1 points to /etc/sudoers instead.
Is this possible?