关于Linux Polkit组件中pkexec程序权限提升漏洞解决办法（编号为CVE-2021-4034）

关于Linux Polkit组件中pkexec程序权限提升漏洞解决办法（编号为CVE-2021-4034）

影响范围

Debain stretch policykit-1 < 0.105-18+deb9u2

Debain buster policykit-1 < 0.105-25+deb10u1

Debain bookworm, bullseye policykit-1 < 0.105-31.1

Ubuntu 21.10 (Impish Indri) policykit-1  < 0.105-31ubuntu0.1

Ubuntu 21.04 (Hirsute Hippo) policykit-1 Ignored (reached end-of-life)

Ubuntu 20.04 LTS (Focal Fossa) policykit-1   < 0.105-26ubuntu1.2)

Ubuntu 18.04 LTS (Bionic Beaver) policykit-1  < 0.105-20ubuntu0.18.04.6)

Ubuntu 16.04 ESM (Xenial Xerus) policykit-1  < 0.105-14.1ubuntu0.5+esm1)

Ubuntu 14.04 ESM (Trusty Tahr) policykit-1  < 0.105-4ubuntu3.14.04.6+esm1)

CentOS 6 polkit < polkit-0.96-11.el6_10.2

CentOS 7 polkit < polkit-0.112-26.el7_9.1

CentOS 8.0 polkit < polkit-0.115-13.el8_5.1

CentOS 8.2 polkit < polkit-0.115-11.el8_2.2

CentOS 8.4 polkit < polkit-0.115-11.el8_4.2

修补方法（CentOS）

1.查看系统版本

cat /etc/redhat-release

例如：
[root@BAAIOCMongo ~]# cat /etc/redhat-release
CentOS Linux release 8.5.2111

2.查看 polkit 版本

rpm -qa polkit

例如：
[root@BAAIOCMongo ~]# rpm -qa polkit
polkit-0.115-11.el8_4.1.x86_64

3.更新 polkit 版本

yum update polkit -y

如未在影响范围内可不进行更新,更新完再次查看版本即可，如是 CentOS 8及以上需操作第四步再操作第三步
原因centos8官方源已下线，只能使用centos-vault源所以需要切换，如使用yum报错也可使用

4.CentOS 8及以上版本需更换 yum 源再进行更新 polkit 版本

cd /etc/yum.repos.d/

mkdir backup

mv *.repo backup/

vi CentOS-Base.repo
复制下面代码段 CentOS-Base.repo 的内容到该文件即可（name中的8.5.2111 可替换为第一步查询到的系统版本） 保存后继续按以下步骤执行

yum clean all && yum makecache

yum update polkit -y

# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the 
# remarked out baseurl= line instead.
#
#
 
[base]
name=CentOS-8.5.2111 - Base - mirrors.aliyun.com
baseurl=http://mirrors.aliyun.com/centos-vault/8.5.2111/BaseOS/$basearch/os/
        http://mirrors.aliyuncs.com/centos-vault/8.5.2111/BaseOS/$basearch/os/
        http://mirrors.cloud.aliyuncs.com/centos-vault/8.5.2111/BaseOS/$basearch/os/
gpgcheck=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-Official
 
#additional packages that may be useful
[extras]
name=CentOS-8.5.2111 - Extras - mirrors.aliyun.com
baseurl=http://mirrors.aliyun.com/centos-vault/8.5.2111/extras/$basearch/os/
        http://mirrors.aliyuncs.com/centos-vault/8.5.2111/extras/$basearch/os/
        http://mirrors.cloud.aliyuncs.com/centos-vault/8.5.2111/extras/$basearch/os/
gpgcheck=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-Official
 
#additional packages that extend functionality of existing packages
[centos-vaultplus]
name=CentOS-8.5.2111 - Plus - mirrors.aliyun.com
baseurl=http://mirrors.aliyun.com/centos-vault/8.5.2111/centos-vaultplus/$basearch/os/
        http://mirrors.aliyuncs.com/centos-vault/8.5.2111/centos-vaultplus/$basearch/os/
        http://mirrors.cloud.aliyuncs.com/centos-vault/8.5.2111/centos-vaultplus/$basearch/os/
gpgcheck=0
enabled=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-Official
 
[PowerTools]
name=CentOS-8.5.2111 - PowerTools - mirrors.aliyun.com
baseurl=http://mirrors.aliyun.com/centos-vault/8.5.2111/PowerTools/$basearch/os/
        http://mirrors.aliyuncs.com/centos-vault/8.5.2111/PowerTools/$basearch/os/
        http://mirrors.cloud.aliyuncs.com/centos-vault/8.5.2111/PowerTools/$basearch/os/
gpgcheck=0
enabled=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-Official


[AppStream]
name=CentOS-8.5.2111 - AppStream - mirrors.aliyun.com
baseurl=http://mirrors.aliyun.com/centos-vault/8.5.2111/AppStream/$basearch/os/
        http://mirrors.aliyuncs.com/centos-vault/8.5.2111/AppStream/$basearch/os/
        http://mirrors.cloud.aliyuncs.com/centos-vault/8.5.2111/AppStream/$basearch/os/
gpgcheck=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-Official