[rkeene2]

A workaround might be to make all setuid/setgid files non-world-readable because then they cannot be opened at all, and thus there is no setuid file to replace the contents of.

[hashstring]

Eh, if you can pollute page caches this won’t safe you.

Think modifying shared libraries, ld preload, cron, I guess on some systems /etc/passwd even.

There are a lot of files readable that should definitely not be writable.

[rkeene2]

Fair enough -- a simpler change might be to poison /etc/passwd and call `su` to a user that has uid 0, since that requires no shell code nor a readable binary, and this seems to have worked in a slightly modified POC:

  f=g.open("/etc/passwd",0);
  e="rkeene:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash\n".encode()
  ...
  g.system("/run/wrappers/bin/su - rkeene")

[tyilo]

There is a PoC that does exactly that here: https://github.com/tgies/copy-fail-c