Also watch out for "IFS=" in the shell with popen and setuid. On system V (not BSD), you can set IFS=/; export IFS and if it does a popen("/xxx/yuyy", "w"); or "r", then all you need is a a program called xxx in the current working directory.