NSPR logging is controlled with a couple of environment variables, one to enable it, and a second to control the name of the log file. This appears to all work in "optimized" (non-debug) builds. So, if any setuid root program is linked with NSPR, any user can clobber any file on the system (any root writable file) by setting NSPR's environment variables to log to that file, and then running a setuid root program linked with NSPR. External reference: https://bugzilla.mozilla.org/show_bug.cgi?id=351470