anacron (anacron-2.3-9, included in RH7) ships with an /etc/anacrontab file that reads, in part, PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 1 5 cron.daily run-parts /etc/cron.daily I believe anacron is activated by default. If a site admin gives untrusted users write access to /usr/local/bin or /usr/local/sbin, a malicious user can put a "run-parts" program in one of those two directories, and if anacron decides to do something after the next reboot, that user's script/program will be executed as root. The PATH setting in the /etc/anacrontab should be adjusted, or removed. The /etc/crontab that came with my RH7 system has a correct PATH setting: PATH=/sbin:/bin:/usr/sbin:/usr/bin which would solve this problem just fine. Hope that helps, Jason Molenda
If a local admin gives untrusted users write access to system binary directorys, it is they who are opening the hole, and they who need to consider the security ramifications. /usr/local/sbin and /usr/local/bin exist so that local installations can override system level commands, with replacing the original binarys, so they belong first in the search order. This is not a bug.