AIX has a similar hole. The DPS server can be entered by /usr/lpp/DPS/bin/dpsexec. Since X runs as root, you can then open and write to any root owned file. I haven't bothered to write an exploit script, but I did try running /etc/security/passwd, and I got a root: UndefinedCommand error. Someone opened a bug against this inside IBM--I forget who, but to my knowledge, know action has been taken. --Sam