i noticed this news item:
http://linuxtoday.com/news_story.php3?ltsn=2004-09-08-039-26-SC-SW

so star, a tape backup utility, can be used to get root access. so could not a local cracker write a program like the old un-updated star and run it to get root access?

AFAIK the program has to be suid root.

Any program that is SUID root has the potential of being exploited to give root priviledges if not properly coded. So technically you can write a program that will spawn a shell, but unless you can make it SUID root, it won't really be of much use.

And normal users cannot change the owner of any file. Only root can change the owner.

When a non-root user creates a file, they are (or rather their UID is) the owner of it. If they turn on the set-uid bit and make the file executable, this is allowed -- but it will not be suid root. It will be suid that-UID. They cannot make root own the file unless they are root (they also cannot make a suid-some-other-UID file unless they are root, because again, they can't change the owner of files).

thanks for the detailed explaination.