Skip to content

Instantly share code, notes, and snippets.

@pbkwee
Created Feb 5, 2022
Embed
What would you like to do?
#!/bin/bash
# when triggered by server patch code, will also include our sysinfo.sh script . A version of which is at https://gist.github.com/pbkwee/996a0c11f6d29281e58d3c42f869ef86
if [ "$1" == "--fix-vuln" ]; then
# tag needed
echo "dss:attemptingfix:"
echo "dss:info: checking fix options."
[ ! -x /usr/bin/pkexec ] && echo "dss:info: no /usr/bin/pkexec, nothing to do." && return 0
APT_GET_INSTALL_OPTIONS=' -y -o APT::Get::AllowUnauthenticated=yes -o Acquire::Check-Valid-Until=false -o Dpkg::Options::=--force-confnew -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confmiss '
while true; do
! which dpkg 2>/dev/null 1>/dev/null && break
! which apt-get 2>/dev/null 1>/dev/null && break
echo "dss:info: checking if the policykit-1 package can be updated via apt"
if ! dpkg -l policykit-1 | grep '^i' | grep -qai policykit-1; then
echo "dss:info: no policykit-1 package installed."
break
fi
if apt-get update && apt-get $APT_GET_INSTALL_OPTIONS install policykit-1; then
# tag needed
echo "dss:fixmethod: attempted apt-get install policykit-1."
break
fi
break
done
while true; do
! which rpm 2>/dev/null 1>/dev/null && break
! which yum 2>/dev/null 1>/dev/null && break
if ! rpm -qa polkit | grep -qai polkit; then
echo "dss:info: no polkit package found."
break
fi
echo "dss:info: attempting to upgrade the polkit rpm."
# tag needed
yum -y update polkit && echo "dss:fixmethod: attempted yum update polkit"
break
done
while true; do
[ ! -f /usr/bin/pkexec.disablesetuidflag ] && echo "dss:info: no /usr/bin/pkexec.disablesetuidflag file set, so not attempting to mitigate the issue by disabling the setuid bit" && break;
# change the setuid bit iff /usr/bin/pkexec.disablesetuidflag exists and if /usr/bin/pkexec is older than 2022-01-10
ISRECENT=Y
[ -f /usr/bin/pkexec ] && [ -f /usr/bin/pkexec.disablesetuidflag ] && touch /usr/bin/pkexec.exploitdate -d 2022-01-10 && ISRECENT= && ISRECENT="$(find /usr/bin/pkexec -name /usr/bin/pkexec -newer /usr/bin/pkexec.exploitdate )"
# fixmethod tag needed
[ -x /usr/bin/pkexec ] && echo "dss:info: checking the presence of a /usr/bin/pkexec.disablesetuidflag file to attempt disabling the setuid bit" && [ -f /usr/bin/pkexec.disablesetuidflag ] && [ -z "$ISRECENT" ] && chmod 0755 /usr/bin/pkexec && echo "dss:fixmethod: disabled setuid on /usr/bin/pkexec."
break
done
fi
POLKIT="$(which dpkg 2>/dev/null >/dev/null && dpkg -l | egrep 'polkit|policykit')"
[ -z "$POLKIT" ] && POLKIT="$(which rpm >/dev/null 2>/dev/null && rpm -qa | egrep 'polkit|policykit')"
# some servers don't have which installed
[ -z "$POLKIT" ] && POLKIT="$([ -x /usr/bin/rpm ] && rpm -qa | egrep 'polkit|policykit')"
echo "${POLKIT:-NA}" | awk '{print "RET:POLICYKIT:DPKG:" $0}'
echo "RET:POLICYKIT:FILE:$( [ -f /usr/bin/pkexec ] && file /usr/bin/pkexec)"
echo "RET:POLICYKIT:LSFILE:$( [ -f /usr/bin/pkexec ] && ls -l /usr/bin/pkexec)"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment