The  /usr/sbin/print/netprint  program  is  used  by  the printing
  system installed on all SGI systems.

  netprint  has  system("disable")  call,  i.e.  it  calls a program
  without  specifying  absolute  path.   At  the  moment the call is
  made, uid=lp.  So lp priorities can be trivially obtained.

     /usr/lib/print/netprint -n blah -h blah -p blah 1-234

  and whatever program  named disable is  first in the  PATH will be
  executed as lp.

  However,  one  can  go  further  if  BSD  printing  subsystem   is
  installed.   /usr/spool/lpd is  owned by  lp, and  it's the  place
  where  lpd  writes  lock  file.   lpd  is  also root/suid.  So one
  replaces  /usr/spool/lpd/lpd.lock  with  a  symlink to /etc/passwd
  and  runs  lpd,  passwd  gets  nuked.   Then  one repeats netprint
  trick, and,  voila, disable  now runs  as root,  because lp is not
  found in passwd.  Credit for this goes to Yuri Volobuev.