Formerly, the /var/spool/fax/outgoing directory was world-writeable, leading to all sort of funny symlink attacks against faxspool(1) and faxrunq(8).
These days, it's owned by the user ``root'', and only this user can write to it. To be able to put jobs there, faxspool(1) calls faxq-helper for very clearly defined purposes:
- make a new queue directory
- put a new fax G3 file into this queue directory
- put a JOB file into this queue directory, and activate the fax job
- remove a fax job from the queue (to be used by faxrm and in case of errors)
- re-queue a job that has been suspended due to repeated failures (faxq -r)
To achieve this, faxq-helper is installed set-user-id root. If you remove the suid bit, or chown the fax queue directory to a different user, it will stop working.