Sandboxed code can set setuid bit on files
CategoryFixed. Fixed in: 253, release 1.17
Sandboxed code can conspire with non-sandboxed code to acquire the full privileges of the invoking user. The sandboxed code can use chmod() to set the setuid bit on a file containing arbitrary code. The non-sandboxed code can then execute the file. This is particularly serious if pola-run/pola-shell are run as root. (Note that the sandboxed process cannot itself run the executable as setuid, because Plash does not support running setuid executables.)
The solution would be for chmod() to refuse to set the setuid bit. Maybe there should then be an option to re-enable the ability to set setuid.
Resolution
real_file_chmod() and real_dir_create_file() now refuse to set the setuid or setgid bits and return an error in this case.