Local Exploit Issue with:
/usr/bin/urpmi
The urpmi executable (perl script)

[root@localhost /root]# ls -al /usr/bin/urpmi
-rwsr-x---    1 root     urpmi        9352 Apr  4  2000 /usr/bin/urpmi*

 
This requires an account in the urpmi group. Possibly physical access to the box as well. 

On Mandrake 7.1 the package urpmi was installed by default on my machine... I did not add my user to the urpmi group 
gid 234(urpmi) it was like that when the user was added to my system. As you can see in the config file a User is aloud to install a 
package if it resides in a directory that has been defined as being safe. 

[root@localhost /root]# cat /etc/urpmi/urpmi.cfg
cdrom1 removable_cdrom_0://mnt/cdrom/Mandrake/RPMS
cdrom2 removable_cdrom_1://mnt/cdrom/Mandrake/RPMS2
cdrom3 removable_cdrom_2://mnt/cdrom/RPMS
cdrom4 removable_cdrom_3://mnt/cdrom/RPMS

DESCRIPTION
       urpmi  enables  non-superuser install of rpms. In fact, it
       only authorizes well-known rpms to be installed.

 All  users belonging to group urpmi are allowed to install
       packages.
       Just launch urpmi followed by what you think is  the  name
       of the package(s), and urpmi will install them

^---------- hrmm so lets say I have supermount enabled on my box 
            And my fstab looks something like this and of course the mtab having the appropreate entry also.
            /dev/cdrom /mnt/cdrom auto user,noauto,nosuid,exec,nodev,ro 0 0

            So I decide to burn myself a cd with a folder RPMS and I place exploitmeplease.i586.rpm in the folder.
            Simply drop it in the cdrom drive and viola. 

            I should then as a member of the urpmi group be alloud to type:

            [user@localhost /mnt/cdrom/RPMS]$ urpmi -ivh exploitmeplease
 
            And procede to install my tools as root


 Note that urpmi handle installations from  various  medias
       (ftp,  local  and  nfs  volumes,  removable medias such as
       CDROMs) and is able to install dependencies from  a  media
       different  from  the  package's media. If necessary, urpmi
       asks you to insert the required media.

   ^---------- thats cool it might even ask me to put in a cd... hrmm thats a bright idea. trojan dependancys for a package 
                you do have  access to could be located on a different cd... thats really anal but theoretically it could happen. 
                Hell for all I know if you got lucky and there was a blank in the drive or if you can physically put a blank in the drive
                you could maybe use the cdwriter exploit to burn your trojan cd.