Skip to main content

When trying to run an uninstall script for our content filter (iBoss), it fails when running via Policy. However, if you login with a local administrator account and run the script on the machine itself... it works fine.



Here is the error:



If I echo out the majority of the commands, I narrowed the failure down to the certificate removal.



Here is the content of the script: 



#!/bin/bash



# **********************************************************************

# *

# * Filename:    uninstall.sh

# *

# * Description:

# *

# * Notes:

# *

# *

# *

# *

# * Copyright (c) 2018 iboss, Inc. All rights reserved.

# * This software may not be published, distributed or reproduced in any

# * manner for any purpose without the express written consent of

# * iboss, Inc.

# **********************************************************************/

mkdir /tmp/uninstallLogs 2>/dev/null

exec &> >(tee -a /tmp/uninstallLogs/$(basename $0).log)

date

isAws2018=$(uname -r | grep 4.14 | grep amzn1)

isAwsV2=$(uname -r | grep 4.14 | grep amzn2)



if [[ "$OSTYPE" == "darwin"* ]]; then

  set -e

  function resetProxy {

    # uninstall

    sudo /usr/sbin/networksetup -listallnetworkservices | grep -v asterisk  | while read line ;

    do

        sudo /usr/sbin/networksetup -setautoproxyurl "$line" " "

        sudo /usr/sbin/networksetup -setwebproxy "$line" " "

        sudo /usr/sbin/networksetup -setsecurewebproxy "$line" " "

        sudo /usr/sbin/networksetup -setproxybypassdomains "$line" ""

        sudo /usr/sbin/networksetup -setautoproxystate "$line" "off"

        sudo /usr/sbin/networksetup -setwebproxystate "$line" "off"

        sudo /usr/sbin/networksetup -setsecurewebproxystate "$line" "off"

        sudo /usr/sbin/networksetup -setv6automatic "$line"

    done

  }



  # stop agent

  if sudo /bin/launchctl list "com.iboss.gen4agent.plist" &> /dev/null; then

      sudo /bin/launchctl unload "/Library/LaunchDaemons/com.iboss.gen4agent.plist"

  fi



  if sudo /bin/launchctl list "com.iboss.networkchange" &> /dev/null; then

      sudo /bin/launchctl unload "/Library/LaunchDaemons/com.iboss.networkchange.plist"

  fi



  FILE=/Applications/Utilities/iboss.app/gen4agent/iboss.crt

  if [ -f "$FILE" ] && [ -s "$FILE" ]; then

    CERT=$(openssl x509 -noout -subject -in $FILE | grep -o "CN=.*/" | awk -F '[=/]' '{ print $2 }')

    security find-certificate -c "$CERT" -a -Z | sudo awk '/SHA-1/{system("security delete-certificate -Z "$NF)}'

  fi



  resetProxy



  echo "Removing IBSA packages"

  sudo rm -rf /Library/LaunchDaemons/com.iboss.gen4agent.plist

  sudo rm -rf /Library/LaunchDaemons/com.iboss.networkchange.plist

  sudo rm -rf /Applications/Utilities/iboss.app

  sudo rm -rf /Applications/iboss.app

  sudo rm -rf /Applications/Firefox.app/Contents/Resources/iboss.cfg

  sudo rm -rf /Applications/Firefox.app/Contents/Resources/defaults/pref/firefox_iboss.js

  pkill -f firefox



elif [[ "$OSTYPE" == "linux-gnu" ]] && [[ -f '/etc/debian_version' ]]; then

   su $(users) -c "gsettings set org.gnome.system.proxy.https host ''"

   su $(users) -c "gsettings set org.gnome.system.proxy.https port 0"

   su $(users) -c "gsettings set org.gnome.system.proxy.http host ''"

   su $(users) -c "gsettings set org.gnome.system.proxy.http port 0"

   su $(users) -c "gsettings set org.gnome.system.proxy ignore-hosts "['']""

   su $(users) -c "gsettings set org.gnome.system.proxy autoconfig-url ''"

   su $(users) -c "gsettings set org.gnome.system.proxy mode none"



   sudo sed -i '/net.ipv6.conf.all.disable_ipv6/c

et.ipv6.conf.all.disable_ipv6=0' /etc/sysctl.conf

   sudo sed -i '/net.ipv6.conf.default.disable_ipv6/c

et.ipv6.conf.default.disable_ipv6=0' /etc/sysctl.conf

   sudo sed -i '/net.ipv6.conf.lo.disable_ipv6/c

et.ipv6.conf.lo.disable_ipv6=0' /etc/sysctl.conf

   sudo sysctl -p



   echo "Removing IBSA packages"

   if [ -f '/etc/systemd/system/ibsa.service' ]; then

        sudo systemctl stop ibsa.service

        sudo systemctl disable ibsa.service

   fi



   if [ -f '/etc/systemd/system/networkchange.service' ]; then

        sudo systemctl stop networkchange.service

        sudo systemctl disable networkchange.service

   fi



   sudo rm  -f "/usr/share/ca-certificates/iboss.crt"

   sudo update-ca-certificates



   sudo rm -rf /usr/share/ibsa

   sudo rm -f /etc/systemd/system/ibsa.service

   sudo rm -f /etc/systemd/system/multi-user.target.wants/ibsa.service

   sudo rm -f /etc/systemd/system/networkchange.service

   sudo rm -f /etc/systemd/system/multi-user.target.wants/networkchange.service

   sudo rm -f /usr/lib/firefox/defaults/pref/firefox_iboss.js

   sudo rm -f /usr/lib/firefox/iboss.cfg



   pkill -f firefox

elif [[ -f '/etc/redhat-release' ]] || [[ "x$isAws2018" != "x" ]] || [[ "x$isAwsV2" != "x" ]]; then



   sudo gsettings set org.gnome.system.proxy.https host ''

   sudo gsettings set org.gnome.system.proxy.https port 0

   sudo gsettings set org.gnome.system.proxy.http host ''

   sudo gsettings set org.gnome.system.proxy.http port 0

   sudo gsettings set org.gnome.system.proxy ignore-hosts "['']"

   sudo gsettings set org.gnome.system.proxy autoconfig-url ''

   sudo gsettings set org.gnome.system.proxy mode none



   sudo sed -i '/net.ipv6.conf.all.disable_ipv6/c

et.ipv6.conf.all.disable_ipv6=0' /etc/sysctl.conf

   sudo sed -i '/net.ipv6.conf.default.disable_ipv6/c

et.ipv6.conf.default.disable_ipv6=0' /etc/sysctl.conf

   sudo sed -i '/net.ipv6.conf.lo.disable_ipv6/c

et.ipv6.conf.lo.disable_ipv6=0' /etc/sysctl.conf

   sudo sysctl -p



   echo "Removing IBSA packages"

   if [ -f '/etc/systemd/system/ibsa.service' ]; then

        sudo systemctl stop ibsa.service

        sudo systemctl disable ibsa.service

   fi



   if [ -f '/etc/init.d/ibsa' ]; then

        sudo service ibsa stop

        sudo chkconfig --del ibsa

   fi



   if [ -f '/etc/systemd/system/networkchange.service' ]; then

        sudo systemctl stop networkchange.service

        sudo systemctl disable networkchange.service

   fi



   sudo /usr/share/ibsa/scripts/setProxyEnvironment.sh none

   sudo /usr/share/ibsa/scripts/proxy.sh 'none'

   sudo rm -f /etc/init.d/ibsa

   sudo rm -rf /usr/share/ibsa

   sudo rm -f /etc/systemd/system/ibsa.service

   sudo rm -f /etc/systemd/system/multi-user.target.wants/ibsa.service

   sudo rm -f /etc/systemd/system/multi-user.target.wants/networkchange.service

   sudo rm -f /usr/lib/firefox/defaults/pref/firefox_iboss.js

   sudo rm -f /usr/lib/firefox/iboss.cfg

   sudo rm -f /usr/lib64/firefox/defaults/pref/firefox_iboss.js

   sudo rm -f /usr/lib64/firefox/iboss.cfg



   sudo rm -f /etc/pki/ca-trust/source/anchors/iboss.crt

   sudo update-ca-trust



   pkill -f firefox

fi


Any help would be appreciated.

Might want to use >_ button when posting a script.

So where did you see the script was failing? Do you mean at this line:



sudo rm  -f "/usr/share/ca-certificates/iboss.crt"


Or was it at this line near the end?



sudo rm -f /etc/pki/ca-trust/source/anchors/iboss.crt


Those are the only places I see it trying to delete a certificate.



BTW, I know you didn't make that script, but whoever did, they should know that all those dozens of sudo's are totally unnecessary. When an entire script runs as root or with sudo, you typically never have to include specific sudo's within the script itself. There are some exceptions, but none of the above cases are such exceptions.

This section right here:



FILE=/Applications/Utilities/iboss.app/gen4agent/iboss.crt

  if [ -f "$FILE" ] && [ -s "$FILE" ]; then

    CERT=$(openssl x509 -noout -subject -in $FILE | grep -o "CN=.*/" | awk -F '[=/]' '{ print $2 }')

    security find-certificate -c "$CERT" -a -Z | sudo awk '/SHA-1/{system("security delete-certificate -Z "$NF)}'

  fi


And I know! From what iBoss said, it's just a generic catch-all script. Not an excuse though. I just want this stupid thing to work so I don't have to manually remove the iBoss connector on 1200 machines.

I was able to get it to work by using only these bits:



#!/bin/bash



if [[ "$OSTYPE" == "darwin"* ]]; then

  set -e

  function resetProxy {

    # uninstall

    sudo /usr/sbin/networksetup -listallnetworkservices | grep -v asterisk  | while read line ;

    do

        sudo /usr/sbin/networksetup -setautoproxyurl "$line" " "

        sudo /usr/sbin/networksetup -setwebproxy "$line" " "

        sudo /usr/sbin/networksetup -setsecurewebproxy "$line" " "

        sudo /usr/sbin/networksetup -setproxybypassdomains "$line" ""

        sudo /usr/sbin/networksetup -setautoproxystate "$line" "off"

        sudo /usr/sbin/networksetup -setwebproxystate "$line" "off"

        sudo /usr/sbin/networksetup -setsecurewebproxystate "$line" "off"

        sudo /usr/sbin/networksetup -setv6automatic "$line"

    done

  }



  # stop agent

  if sudo /bin/launchctl list "com.iboss.gen4agent" &> /dev/null; then

      sudo /bin/launchctl unload "/Library/LaunchDaemons/com.iboss.gen4agent.plist"

  fi



  if sudo /bin/launchctl list "com.iboss.networkchange" &> /dev/null; then

      sudo /bin/launchctl unload "/Library/LaunchDaemons/com.iboss.networkchange.plist"

  fi



  FILE=/Applications/Utilities/iboss.app/gen4agent/iboss.crt

  if [ -f "$FILE" ] && [ -s "$FILE" ]; then

    CERT=$(openssl x509 -noout -subject -in $FILE | grep -o "CN=.*/" | awk -F '[=/]' '{ print $2 }')

    security find-certificate -c "$CERT" -a -Z | sudo awk '/SHA-1/{system("security delete-certificate -Z "$NF)}'

  fi



  resetProxy



  echo "Removing IBSA packages"

  sudo rm -rf /Library/LaunchDaemons/com.iboss.gen4agent.plist

  sudo rm -rf /Library/LaunchDaemons/com.iboss.networkchange.plist

  sudo rm -rf /Applications/Utilities/iboss.app

  sudo rm -rf /Applications/iboss.app

fi

I've seen situations where an unnecessary sudo can muck the whole thing up (happened today actually); that might be a way to get it working.

So we're all in agreement though... We all can't stand iBoss. Yeah?

 

Terms & ConditionsCookie settings