Exploit:

 Larry W. Cashdollar  found following (tested  on IRIX64 devel  6.5
 05190004).  The  setuid root binary  midikeys can be  used to read
 any file on the  system using its gui  interface.  It can  also be
 used  to  edit  anyfile  on  the  system.   One can get from guest
 account access to root access using the following procedure.

 1) Choose an unpassworded account and telnet in (like guest or lp)

     devel 25% id
     uid=998 gid=998(guest)

 2) Execute the midikeys application with display set to your host

     devel 26% ./midikeys
     devel 27% Xlib:  extension "GLX" missing on display "grinch:0.0".
     Xlib:  extension "GLX" missing on display "grinch:0.0".

 3) under  the midikeys  window click  sounds and  then midi songs.
    This will open a file manager type interface.

 4) You can enter the path and filename of files you which to read.
    including root  owned with  group/world read/write  permissions
    unset.

 5) If  you select  a file  like "/usr/share/data/music/README"  it
    will appear  in a  text editor.   Use the  text editor  to open
    /etc/passwd and make modifications at will.  Save and enjoy.

 So, you can remove the '*' from sysadm...

 $ su sysadm
 # id
 uid=0(root) gid=0(sys)

 devel 28%  ls -l /usr/sbin/midikeys
 -rwsr-xr-x    1 root     root      218712 Jan 10 17:19 /usr/sbin/midikeys