Jamf Nation Community

sirsir · ‎11-04-2019

When trying to run an uninstall script for our content filter (iBoss), it fails when running via Policy. However, if you login with a local administrator account and run the script on the machine itself... it works fine.

Here is the error:

If I echo out the majority of the commands, I narrowed the failure down to the certificate removal.

Here is the content of the script:

#!/bin/bash

# **********************************************************************
# *
# * Filename:    uninstall.sh
# *
# * Description:
# *
# * Notes:
# *
# *
# *
# *
# * Copyright (c) 2018 iboss, Inc. All rights reserved.
# * This software may not be published, distributed or reproduced in any
# * manner for any purpose without the express written consent of
# * iboss, Inc.
# **********************************************************************/
mkdir /tmp/uninstallLogs 2>/dev/null
exec &> >(tee -a /tmp/uninstallLogs/$(basename $0).log)
date
isAws2018=$(uname -r | grep 4.14 | grep amzn1)
isAwsV2=$(uname -r | grep 4.14 | grep amzn2)

if [[ "$OSTYPE" == "darwin"* ]]; then
  set -e
  function resetProxy {
    # uninstall
    sudo /usr/sbin/networksetup -listallnetworkservices | grep -v asterisk  | while read line ;
    do
        sudo /usr/sbin/networksetup -setautoproxyurl "$line" " "
        sudo /usr/sbin/networksetup -setwebproxy "$line" " "
        sudo /usr/sbin/networksetup -setsecurewebproxy "$line" " "
        sudo /usr/sbin/networksetup -setproxybypassdomains "$line" ""
        sudo /usr/sbin/networksetup -setautoproxystate "$line" "off"
        sudo /usr/sbin/networksetup -setwebproxystate "$line" "off"
        sudo /usr/sbin/networksetup -setsecurewebproxystate "$line" "off"
        sudo /usr/sbin/networksetup -setv6automatic "$line"
    done
  }

  # stop agent
  if sudo /bin/launchctl list "com.iboss.gen4agent.plist" &> /dev/null; then
      sudo /bin/launchctl unload "/Library/LaunchDaemons/com.iboss.gen4agent.plist"
  fi

  if sudo /bin/launchctl list "com.iboss.networkchange" &> /dev/null; then
      sudo /bin/launchctl unload "/Library/LaunchDaemons/com.iboss.networkchange.plist"
  fi

  FILE=/Applications/Utilities/iboss.app/gen4agent/iboss.crt
  if [ -f "$FILE" ] && [ -s "$FILE" ]; then
    CERT=$(openssl x509 -noout -subject -in $FILE | grep -o "CN=.*/" | awk -F '[=/]' '{ print $2 }')
    security find-certificate -c "$CERT" -a -Z | sudo awk '/SHA-1/{system("security delete-certificate -Z "$NF)}'
  fi

  resetProxy

  echo "Removing IBSA packages"
  sudo rm -rf /Library/LaunchDaemons/com.iboss.gen4agent.plist
  sudo rm -rf /Library/LaunchDaemons/com.iboss.networkchange.plist
  sudo rm -rf /Applications/Utilities/iboss.app
  sudo rm -rf /Applications/iboss.app
  sudo rm -rf /Applications/Firefox.app/Contents/Resources/iboss.cfg
  sudo rm -rf /Applications/Firefox.app/Contents/Resources/defaults/pref/firefox_iboss.js
  pkill -f firefox

elif [[ "$OSTYPE" == "linux-gnu" ]] && [[ -f '/etc/debian_version' ]]; then
   su $(users) -c "gsettings set org.gnome.system.proxy.https host ''"
   su $(users) -c "gsettings set org.gnome.system.proxy.https port 0"
   su $(users) -c "gsettings set org.gnome.system.proxy.http host ''"
   su $(users) -c "gsettings set org.gnome.system.proxy.http port 0"
   su $(users) -c "gsettings set org.gnome.system.proxy ignore-hosts "['']""
   su $(users) -c "gsettings set org.gnome.system.proxy autoconfig-url ''"
   su $(users) -c "gsettings set org.gnome.system.proxy mode none"

   sudo sed -i '/net.ipv6.conf.all.disable_ipv6/c
et.ipv6.conf.all.disable_ipv6=0' /etc/sysctl.conf
   sudo sed -i '/net.ipv6.conf.default.disable_ipv6/c
et.ipv6.conf.default.disable_ipv6=0' /etc/sysctl.conf
   sudo sed -i '/net.ipv6.conf.lo.disable_ipv6/c
et.ipv6.conf.lo.disable_ipv6=0' /etc/sysctl.conf
   sudo sysctl -p

   echo "Removing IBSA packages"
   if [ -f '/etc/systemd/system/ibsa.service' ]; then
        sudo systemctl stop ibsa.service
        sudo systemctl disable ibsa.service
   fi

   if [ -f '/etc/systemd/system/networkchange.service' ]; then
        sudo systemctl stop networkchange.service
        sudo systemctl disable networkchange.service
   fi

   sudo rm  -f "/usr/share/ca-certificates/iboss.crt"
   sudo update-ca-certificates

   sudo rm -rf /usr/share/ibsa
   sudo rm -f /etc/systemd/system/ibsa.service
   sudo rm -f /etc/systemd/system/multi-user.target.wants/ibsa.service
   sudo rm -f /etc/systemd/system/networkchange.service
   sudo rm -f /etc/systemd/system/multi-user.target.wants/networkchange.service
   sudo rm -f /usr/lib/firefox/defaults/pref/firefox_iboss.js
   sudo rm -f /usr/lib/firefox/iboss.cfg

   pkill -f firefox
elif [[ -f '/etc/redhat-release' ]] || [[ "x$isAws2018" != "x" ]] || [[ "x$isAwsV2" != "x" ]]; then

   sudo gsettings set org.gnome.system.proxy.https host ''
   sudo gsettings set org.gnome.system.proxy.https port 0
   sudo gsettings set org.gnome.system.proxy.http host ''
   sudo gsettings set org.gnome.system.proxy.http port 0
   sudo gsettings set org.gnome.system.proxy ignore-hosts "['']"
   sudo gsettings set org.gnome.system.proxy autoconfig-url ''
   sudo gsettings set org.gnome.system.proxy mode none

   sudo sed -i '/net.ipv6.conf.all.disable_ipv6/c
et.ipv6.conf.all.disable_ipv6=0' /etc/sysctl.conf
   sudo sed -i '/net.ipv6.conf.default.disable_ipv6/c
et.ipv6.conf.default.disable_ipv6=0' /etc/sysctl.conf
   sudo sed -i '/net.ipv6.conf.lo.disable_ipv6/c
et.ipv6.conf.lo.disable_ipv6=0' /etc/sysctl.conf
   sudo sysctl -p

   echo "Removing IBSA packages"
   if [ -f '/etc/systemd/system/ibsa.service' ]; then
        sudo systemctl stop ibsa.service
        sudo systemctl disable ibsa.service
   fi

   if [ -f '/etc/init.d/ibsa' ]; then
        sudo service ibsa stop
        sudo chkconfig --del ibsa
   fi

   if [ -f '/etc/systemd/system/networkchange.service' ]; then
        sudo systemctl stop networkchange.service
        sudo systemctl disable networkchange.service
   fi

   sudo /usr/share/ibsa/scripts/setProxyEnvironment.sh none
   sudo /usr/share/ibsa/scripts/proxy.sh 'none'
   sudo rm -f /etc/init.d/ibsa
   sudo rm -rf /usr/share/ibsa
   sudo rm -f /etc/systemd/system/ibsa.service
   sudo rm -f /etc/systemd/system/multi-user.target.wants/ibsa.service
   sudo rm -f /etc/systemd/system/multi-user.target.wants/networkchange.service
   sudo rm -f /usr/lib/firefox/defaults/pref/firefox_iboss.js
   sudo rm -f /usr/lib/firefox/iboss.cfg
   sudo rm -f /usr/lib64/firefox/defaults/pref/firefox_iboss.js
   sudo rm -f /usr/lib64/firefox/iboss.cfg

   sudo rm -f /etc/pki/ca-trust/source/anchors/iboss.crt
   sudo update-ca-trust

   pkill -f firefox
fi

Any help would be appreciated.

sirsir · ‎11-05-2019

I was able to get it to work by using only these bits:

#!/bin/bash

if [[ "$OSTYPE" == "darwin"* ]]; then
  set -e
  function resetProxy {
    # uninstall
    sudo /usr/sbin/networksetup -listallnetworkservices | grep -v asterisk  | while read line ;
    do
        sudo /usr/sbin/networksetup -setautoproxyurl "$line" " "
        sudo /usr/sbin/networksetup -setwebproxy "$line" " "
        sudo /usr/sbin/networksetup -setsecurewebproxy "$line" " "
        sudo /usr/sbin/networksetup -setproxybypassdomains "$line" ""
        sudo /usr/sbin/networksetup -setautoproxystate "$line" "off"
        sudo /usr/sbin/networksetup -setwebproxystate "$line" "off"
        sudo /usr/sbin/networksetup -setsecurewebproxystate "$line" "off"
        sudo /usr/sbin/networksetup -setv6automatic "$line"
    done
  }

  # stop agent
  if sudo /bin/launchctl list "com.iboss.gen4agent" &> /dev/null; then
      sudo /bin/launchctl unload "/Library/LaunchDaemons/com.iboss.gen4agent.plist"
  fi

  if sudo /bin/launchctl list "com.iboss.networkchange" &> /dev/null; then
      sudo /bin/launchctl unload "/Library/LaunchDaemons/com.iboss.networkchange.plist"
  fi

  FILE=/Applications/Utilities/iboss.app/gen4agent/iboss.crt
  if [ -f "$FILE" ] && [ -s "$FILE" ]; then
    CERT=$(openssl x509 -noout -subject -in $FILE | grep -o "CN=.*/" | awk -F '[=/]' '{ print $2 }')
    security find-certificate -c "$CERT" -a -Z | sudo awk '/SHA-1/{system("security delete-certificate -Z "$NF)}'
  fi

  resetProxy

  echo "Removing IBSA packages"
  sudo rm -rf /Library/LaunchDaemons/com.iboss.gen4agent.plist
  sudo rm -rf /Library/LaunchDaemons/com.iboss.networkchange.plist
  sudo rm -rf /Applications/Utilities/iboss.app
  sudo rm -rf /Applications/iboss.app
fi

View solution in original post

donmontalvo · ‎11-04-2019

Might want to use >_ button when posting a script.

--
https://donmontalvo.com

mm2270 · ‎11-04-2019

So where did you see the script was failing? Do you mean at this line:

sudo rm  -f "/usr/share/ca-certificates/iboss.crt"

Or was it at this line near the end?

sudo rm -f /etc/pki/ca-trust/source/anchors/iboss.crt

Those are the only places I see it trying to delete a certificate.

BTW, I know you didn't make that script, but whoever did, they should know that all those dozens of sudo's are totally unnecessary. When an entire script runs as root or with sudo, you typically never have to include specific sudo's within the script itself. There are some exceptions, but none of the above cases are such exceptions.

sirsir · ‎11-05-2019

This section right here:

FILE=/Applications/Utilities/iboss.app/gen4agent/iboss.crt
  if [ -f "$FILE" ] && [ -s "$FILE" ]; then
    CERT=$(openssl x509 -noout -subject -in $FILE | grep -o "CN=.*/" | awk -F '[=/]' '{ print $2 }')
    security find-certificate -c "$CERT" -a -Z | sudo awk '/SHA-1/{system("security delete-certificate -Z "$NF)}'
  fi

And I know! From what iBoss said, it's just a generic catch-all script. Not an excuse though. I just want this stupid thing to work so I don't have to manually remove the iBoss connector on 1200 machines.

sirsir · ‎11-05-2019

I was able to get it to work by using only these bits:

#!/bin/bash

if [[ "$OSTYPE" == "darwin"* ]]; then
  set -e
  function resetProxy {
    # uninstall
    sudo /usr/sbin/networksetup -listallnetworkservices | grep -v asterisk  | while read line ;
    do
        sudo /usr/sbin/networksetup -setautoproxyurl "$line" " "
        sudo /usr/sbin/networksetup -setwebproxy "$line" " "
        sudo /usr/sbin/networksetup -setsecurewebproxy "$line" " "
        sudo /usr/sbin/networksetup -setproxybypassdomains "$line" ""
        sudo /usr/sbin/networksetup -setautoproxystate "$line" "off"
        sudo /usr/sbin/networksetup -setwebproxystate "$line" "off"
        sudo /usr/sbin/networksetup -setsecurewebproxystate "$line" "off"
        sudo /usr/sbin/networksetup -setv6automatic "$line"
    done
  }

  # stop agent
  if sudo /bin/launchctl list "com.iboss.gen4agent" &> /dev/null; then
      sudo /bin/launchctl unload "/Library/LaunchDaemons/com.iboss.gen4agent.plist"
  fi

  if sudo /bin/launchctl list "com.iboss.networkchange" &> /dev/null; then
      sudo /bin/launchctl unload "/Library/LaunchDaemons/com.iboss.networkchange.plist"
  fi

  FILE=/Applications/Utilities/iboss.app/gen4agent/iboss.crt
  if [ -f "$FILE" ] && [ -s "$FILE" ]; then
    CERT=$(openssl x509 -noout -subject -in $FILE | grep -o "CN=.*/" | awk -F '[=/]' '{ print $2 }')
    security find-certificate -c "$CERT" -a -Z | sudo awk '/SHA-1/{system("security delete-certificate -Z "$NF)}'
  fi

  resetProxy

  echo "Removing IBSA packages"
  sudo rm -rf /Library/LaunchDaemons/com.iboss.gen4agent.plist
  sudo rm -rf /Library/LaunchDaemons/com.iboss.networkchange.plist
  sudo rm -rf /Applications/Utilities/iboss.app
  sudo rm -rf /Applications/iboss.app
fi

d_mccullough · ‎11-05-2019

I've seen situations where an unnecessary sudo can muck the whole thing up (happened today actually); that might be a way to get it working.

AECTucker · ‎11-16-2021

So we're all in agreement though... We all can't stand iBoss. Yeah?

Jamf Nation Community

Script works locally, fails via Policy.