[8lgm]-Advisory-10-EXPLOIT describes a hole where a setgid program runs /bin/pwd with popen(3). In case you don't know, this is the way that SunOS, as well as SCO, performs the getcwd() call. Other versions of UNIX may also implement it this way, although Solaris' getwd() doesn't (sorry folks -- don't have enough UNIX machines with trace commands!). trace/truss -f this C code to check: #include <stdio.h> main () { char x[1024]; getcwd(x, 1024); printf ("%s", x); } If you see a fork or vfork, your getcwd runs /bin/pwd. If you have any setuid programs that call getcwd(), make sure they sanitise their environment beforehand. Another thing to watch out for... --j.