/usr/bin/rmail is sgid mail.  Man page clearly says rmail is  only
  required by  UUCP, still,  it's installed  everywhere.   It's also
  been known to have  bugs for years, which  SGI has addressed by  a
  series of patches.  Quite  unfortunately, all of them fail  to fix
  the problem completely, including  the most recent one,  1639 (for
  6.2,  it  has  brothers  for  other  releases).   It's a small and
  simple  program,  it  just  passes  slightly modified message from
  stdin to sendmail, as usually via virtue of system().

  To exploit, set LOGNAME env to something like:

      blah;mycommand

  Credit for this goes to Yuri Volobuev.