The actual vulnerability is quite ugly. netprint has system("disable") call, i.e. it calls a program without specifying absolute path. At the moment the call is made, uid=lp. So lp priorities can be trivially obtained. /usr/lib/print/netprint -n blah -h blah -p blah 1-234 and whatever program named disable is first in the PATH will be executed as lp. However, one can go further if BSD printing subsystem is installed. /usr/spool/lpd is owned by lp, and it's the place where lpd writes lock file. lpd is also root/suid. So one replaces /usr/spool/lpd/lpd.lock with a symlink to /etc/passwd and runs lpd, passwd gets nuked. Then one repeats netprint trick, and, voila, disable now runs as root, because lp is not found in passwd. Kinda neat.