comment on

setuid allows a user to execute a script as the script's owner.

I believe it can be attacked as follows:

Create a symbolic link to the setuid script.
Execute the setuid script via that symbolic link.
Immediately replace the symbolic link with a file.
If you get the timing right, the setuid script will read and write the data from your file instead of from the script file. The script trusts the data since it expects to be the only one able to change it, but you actually have full access to the data.

As a variation of the above, the attack could also replace the volume on which the script resides by unmounting it and mounting a new one.

In reply to Re^3: Is it possible to modify __DATA__ via the DATA file handle or otherwise? by ikegami
in thread Is it possible to modify __DATA__ via the DATA file handle or otherwise? by YenForYang

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.