rctab in SuSE 7.0 and earlier allows local users to create or overwrite arbitrary files via a symlink attack on the rctmp temporary file.
https://exchange.xforce.ibmcloud.com/vulnerabilities/5945
http://archives.neohapsis.com/archives/bugtraq/2001-01/0272.html