Linux kreatecd trusts a user-supplied path that is used to find the cdrecord program, allowing local users to gain root privileges.