Created
February 5, 2022 22:16
-
-
Save pbkwee/92887bff0fc4c2afbe8312c765260b28 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # when triggered by server patch code, will also include our sysinfo.sh script . A version of which is at https://gist.github.com/pbkwee/996a0c11f6d29281e58d3c42f869ef86 | |
| if [ "$1" == "--fix-vuln" ]; then | |
| # tag needed | |
| echo "dss:attemptingfix:" | |
| echo "dss:info: checking fix options." | |
| [ ! -x /usr/bin/pkexec ] && echo "dss:info: no /usr/bin/pkexec, nothing to do." && return 0 | |
| APT_GET_INSTALL_OPTIONS=' -y -o APT::Get::AllowUnauthenticated=yes -o Acquire::Check-Valid-Until=false -o Dpkg::Options::=--force-confnew -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confmiss ' | |
| while true; do | |
| ! which dpkg 2>/dev/null 1>/dev/null && break | |
| ! which apt-get 2>/dev/null 1>/dev/null && break | |
| echo "dss:info: checking if the policykit-1 package can be updated via apt" | |
| if ! dpkg -l policykit-1 | grep '^i' | grep -qai policykit-1; then | |
| echo "dss:info: no policykit-1 package installed." | |
| break | |
| fi | |
| if apt-get update && apt-get $APT_GET_INSTALL_OPTIONS install policykit-1; then | |
| # tag needed | |
| echo "dss:fixmethod: attempted apt-get install policykit-1." | |
| break | |
| fi | |
| break | |
| done | |
| while true; do | |
| ! which rpm 2>/dev/null 1>/dev/null && break | |
| ! which yum 2>/dev/null 1>/dev/null && break | |
| if ! rpm -qa polkit | grep -qai polkit; then | |
| echo "dss:info: no polkit package found." | |
| break | |
| fi | |
| echo "dss:info: attempting to upgrade the polkit rpm." | |
| # tag needed | |
| yum -y update polkit && echo "dss:fixmethod: attempted yum update polkit" | |
| break | |
| done | |
| while true; do | |
| [ ! -f /usr/bin/pkexec.disablesetuidflag ] && echo "dss:info: no /usr/bin/pkexec.disablesetuidflag file set, so not attempting to mitigate the issue by disabling the setuid bit" && break; | |
| # change the setuid bit iff /usr/bin/pkexec.disablesetuidflag exists and if /usr/bin/pkexec is older than 2022-01-10 | |
| ISRECENT=Y | |
| [ -f /usr/bin/pkexec ] && [ -f /usr/bin/pkexec.disablesetuidflag ] && touch /usr/bin/pkexec.exploitdate -d 2022-01-10 && ISRECENT= && ISRECENT="$(find /usr/bin/pkexec -name /usr/bin/pkexec -newer /usr/bin/pkexec.exploitdate )" | |
| # fixmethod tag needed | |
| [ -x /usr/bin/pkexec ] && echo "dss:info: checking the presence of a /usr/bin/pkexec.disablesetuidflag file to attempt disabling the setuid bit" && [ -f /usr/bin/pkexec.disablesetuidflag ] && [ -z "$ISRECENT" ] && chmod 0755 /usr/bin/pkexec && echo "dss:fixmethod: disabled setuid on /usr/bin/pkexec." | |
| break | |
| done | |
| fi | |
| POLKIT="$(which dpkg 2>/dev/null >/dev/null && dpkg -l | egrep 'polkit|policykit')" | |
| [ -z "$POLKIT" ] && POLKIT="$(which rpm >/dev/null 2>/dev/null && rpm -qa | egrep 'polkit|policykit')" | |
| # some servers don't have which installed | |
| [ -z "$POLKIT" ] && POLKIT="$([ -x /usr/bin/rpm ] && rpm -qa | egrep 'polkit|policykit')" | |
| echo "${POLKIT:-NA}" | awk '{print "RET:POLICYKIT:DPKG:" $0}' | |
| echo "RET:POLICYKIT:FILE:$( [ -f /usr/bin/pkexec ] && file /usr/bin/pkexec)" | |
| echo "RET:POLICYKIT:LSFILE:$( [ -f /usr/bin/pkexec ] && ls -l /usr/bin/pkexec)" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment