catman in Solaris 2.7 and 2.8 allows local users to overwrite arbitrary files via a symlink attack on the sman_PID temporary file.
https://exchange.xforce.ibmcloud.com/vulnerabilities/5788
http://archives.neohapsis.com/archives/bugtraq/2000-12/0313.html