-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
eInstruction sells, among others, electronic whiteboards. They also
provide Linux software for these, including a user land driver of
sorts called Workspace. If the installation of that software succeeds,
it will change /etc/sudoers to add the following two lines:
ALL ALL=(ALL) NOPASSWD :
/opt/eInstruction/DeviceManager/jre/bin/java -Djava.library.path\=.
-classpath ./dm.jar\:./*\:./axis2-1.5/* einstruction.dm.ui.Main
Defaults env_keep += "DISPLAY XAUTHORITY XAUTHLOCALHOSTNAME"
The problem here is that the first command allows anyone to run pretty
much anything as root: simply place a dm.jar in the current directory
before executing the named command, and the named class inside it will
get executed. The intention is of course to run the shipped jar with
full privileges, but the command does not check the current working
directory or use an absolute path.
I've informed developers of this issue on 2013-12-07, in their problem
report #51647. I included a statement of my plans to disclose this
issue, but unfortunately forgot to actually do so. 2014-04-22 got the
first response: "I will pass this information to along to our
developers". Apparently no progress since then.
I guess a manual fix would be replacing all relative paths by absolute
ones. Not sure how secure the java code itself is, but the sudo
problem should be avoidable that way.
Greetings,
Martin von Gagern
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlNzwEIACgkQRhp6o4m9dFu7wgCfePQEKvizjypyiiDc7/xb3P9A
WhwAnA1qQWs9W6fwo/grjTzgbEq5wpA1
=jpCp
-----END PGP SIGNATURE-----
