Exploit is for the rcvtty of the mh package, which is setgid=4(tty) on BSDi. this exploit gives you egid/group=4(tty) access.