diff options
author | doktornotor <notordoktor@gmail.com> | 2015-10-11 15:52:35 +0200 |
---|---|---|
committer | doktornotor <notordoktor@gmail.com> | 2015-10-11 15:52:35 +0200 |
commit | 64544441536552b858797a172148e058f3239115 (patch) | |
tree | 98bb951d26f8806e7890eb818903fcc072c14837 | |
parent | 675b121ee2de4c1c430219053a9ba5f0d6a7e568 (diff) | |
download | pfsense-packages-64544441536552b858797a172148e058f3239115.tar.gz pfsense-packages-64544441536552b858797a172148e058f3239115.tar.bz2 pfsense-packages-64544441536552b858797a172148e058f3239115.zip |
Squid3 - multiple antivirus fixes
- Stop moving C-ICAP logs, it completely breaks things for users in bizarre ways
- Ditch the recursive chown madness on ClamAV/C-ICAP dirs. The C-ICAP socket/pid/logs are supposed to be owned by root:wheel, not clamav:wheel, this just should not be done.
- Fix the broken squid_check_clamav_user() function and user handling in general; stop re-adding clamav user to wheel group over and over again. Also, clean up the wheel group on uninstall.
- Put extensive error checking and debugging info to configuration files handling so that it's possible to debug things easily in future.
-rw-r--r-- | config/squid3/34/squid_antivirus.inc | 154 |
1 files changed, 104 insertions, 50 deletions
diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index 03b9e129..c6f128f1 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -37,16 +37,16 @@ require_once('config.inc'); */ /* clamav user account hadling (only needed for PBI/pfSense <2.3) */ -function squid_check_clamav_user($user) { +function squid_check_clamav_user() { if (SQUID_BASE == '/usr/local') { return; - } - - $_gc = exec("/usr/sbin/pw usershow {$user}", $sq_ex_output, $sq_ex_return); - $user_arg = ($sq_ex_return == 0 ? "mod" : "add"); - $_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin", $sq_ex_output, $sq_ex_return); - if ($sq_ex_return != 0) { - log_error("[squid] Could not change clamav user settings. " . serialize($sq_ex_output)); + } else { + if (!exec("/usr/sbin/pw usershow clamav")) { + mwexec("/usr/sbin/pw useradd clamav -G wheel -u 9595 -s /sbin/nologin"); + } + if (!exec("/usr/sbin/pw groupshow wheel | /usr/bin/grep clamav")) { + mwexec("/usr/sbin/pw usermod clamav -G wheel"); + } } } @@ -61,7 +61,8 @@ function squid_check_antivirus_dirs() { ); foreach ($dirs as $dir_path => $dir_user) { safe_mkdir($dir_path, 0755); - squid_chown_recursive($dir_path, $dir_user, "wheel"); + chown($dir_path, $dir_user); + chgrp($dir_path, "wheel"); } } @@ -125,7 +126,16 @@ function squid_antivirus_install_command() { symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3"); } - // check dirs + // remove dirs with possibly broken file permissions after previous versions + $dirs = array("/var/run/c-icap", "/var/log/c-icap"); + foreach ($dirs as $dir) { + if (is_dir("{$dir}")) { + mwexec("/bin/rm -rf {$dir}"); + } + } + + // create required dirs and set up clamav user if needed + squid_check_clamav_user(); squid_check_antivirus_dirs(); // remove unwanted PBI rc scripts @@ -136,6 +146,7 @@ function squid_antivirus_install_command() { /* Run on Squid package uninstall */ function squid_antivirus_deinstall_command() { + global $config, $keep; /* kill all running services */ if (is_process_running("c-icap")) { mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); @@ -183,6 +194,21 @@ function squid_antivirus_deinstall_command() { } } + /* clean up user/groups if needed */ + if (SQUID_BASE == '/usr/local') { + return; + } else { + if (exec("/usr/sbin/pw groupshow wheel | /usr/bin/grep clamav")) { + mwexec("/usr/sbin/pw groupmod wheel -d clamav"); + } + if (exec("/usr/sbin/pw usershow clamav")) { + mwexec("/usr/sbin/pw userdel clamav"); + } + if (exec("/usr/sbin/pw groupshow clamav")) { + mwexec("/usr/sbin/pw groupdel clamav"); + } + } + /* check if clamav/c_icap is enabled in rc.conf.local */ // XXX: This hasn't been used since 0.3.7; to be removed in future if (file_exists("/etc/rc.conf.local")) { @@ -219,7 +245,7 @@ function squid_antivirus_deinstall_command() { /* Proxy Server: Antivirus configuration handler */ function squid_resync_antivirus() { - global $config; + global $config, $antivirus_config; if (is_array($config['installedpackages']['squidantivirus'])) { $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; @@ -266,7 +292,7 @@ adaptation_access service_avi_resp allow all EOF; // check clamav user and dirs - squid_check_clamav_user('clamav'); + squid_check_clamav_user(); squid_check_antivirus_dirs(); if ($antivirus_config['enable_advanced'] == "enabled") { @@ -290,15 +316,20 @@ EOF; $cf = SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf"; if (file_exists("{$cf}.pfsense")) { $sample_file = file_get_contents("{$cf}.pfsense"); + $squidclamav_m[0] = "@#This file was automatically generated by pfSense@"; + $squidclamav_r[0] = "#This file was automatically generated by pfSense WebGUI configuration"; if ($antivirus_config['clamav_safebrowsing'] == "on") { - $squidclamav_m[0] = "@safebrowsing\s0@"; - $squidclamav_r[0] = "safebrowsing 1"; + $squidclamav_m[1] = "@safebrowsing\s0@"; + $squidclamav_r[1] = "safebrowsing 1"; } if ($antivirus_config['clamav_url'] != "") { - $squidclamav_m[1] = "@redirect http@"; - $squidclamav_r[1] = "{$antivirus_config['clamav_url']}"; + $squidclamav_m[2] = "@redirect http@"; + $squidclamav_r[2] = "{$antivirus_config['clamav_url']}"; + } + /* Trying to overwrite squidclamav.conf via file_put_contents() may fail when Squid is running */ + if (!file_put_contents("{$cf}", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save generated {$cf} file!"); } - file_put_contents("{$cf}", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX); } else { log_error("[squid] Template not found; could not generate '{$cf}' file!"); } @@ -310,20 +341,17 @@ EOF; if (!preg_match("/squid_clamav/", $sample_file)) { $sample_file .= "\nService squid_clamav squidclamav.so\n"; } - // XXX: Bug #4615 - if (is_array($config['installedpackages']['squid'])) { - $squidsettings = $config['installedpackages']['squid']['config'][0]; - } else { - $squidsettings = array(); + /* XXX: Bug #4615 + * Do NOT move the C-ICAP log anywhere, ever! It breaks C-ICAP in completely inexplicable ways, + * such as Error: [No Error] or 500 response codes. + */ + $cicap_m[0] = "@#This file was automatically generated by pfSense@"; + $cicap_r[0] = "#This file was automatically generated by pfSense WebGUI configuration"; + $cicap_m[1] = "@DebugLevel\s1@"; + $cicap_r[1] = "DebugLevel 0"; + if (!file_put_contents("{$cf}", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save generated {$cf} file!"); } - $logdir = ($squidsettings['log_dir'] ? $squidsettings['log_dir'] : '/var/squid/logs'); - $cicap_m[0] = "@DebugLevel\s1@"; - $cicap_r[0] = "DebugLevel 0"; - $cicap_m[1] = "@AccessLog /var/squid/logs/c-icap-access.log@"; - $cicap_r[1] = "AccessLog {$logdir}/c-icap-access.log"; - $cicap_m[2] = "@ServerLog /var/squid/logs/c-icap-server.log@"; - $cicap_r[2] = "ServerLog {$logdir}/c-icap-server.log"; - file_put_contents("{$cf}", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); } else { log_error("[squid] Template not found; could not generate '{$cf}' file!"); } @@ -332,15 +360,19 @@ EOF; // just make a copy of pfSense template, nothing configurable via GUI options here $cf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic"; if (file_exists("{$cf}.pfsense")) { - copy("{$cf}.pfsense", "{$cf}"); + if (!copy("{$cf}.pfsense", "{$cf}")) { + log_error("[squid] Could not save {$cf} file!"); + } } else { - log_error("[squid] Template not found; could not generate '{$cf}' file!"); + log_error("[squid] Template not found; could not save '{$cf}' file!"); } // freshclam.conf $cf = SQUID_LOCALBASE . "/etc/freshclam.conf"; if (file_exists("{$cf}.pfsense")) { $sample_file = file_get_contents("{$cf}.pfsense"); + $freshclam_m[0] = "@#This file was automatically generated by pfSense@"; + $freshclam_r[0] = "#This file was automatically generated by pfSense WebGUI configuration"; $clamav_mirrors = ""; if ($antivirus_config['clamav_dbregion'] != "") { $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n"; @@ -351,23 +383,29 @@ EOF; } } if ($clamav_mirrors != "") { - $freshclam_m[0] = "@#DatabaseMirror db.XY.clamav.net@"; - $freshclam_r[0] = "{$clamav_mirrors}"; + $freshclam_m[1] = "@#DatabaseMirror db.XY.clamav.net@"; + $freshclam_r[1] = "{$clamav_mirrors}"; } if ($antivirus_config['clamav_safebrowsing'] == "on") { - $freshclam_m[1] = "@#SafeBrowsing yes@"; - $freshclam_r[1] = "SafeBrowsing yes"; + $freshclam_m[2] = "@#SafeBrowsing yes@"; + $freshclam_r[2] = "SafeBrowsing yes"; + } + if (!file_put_contents("{$cf}", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save generated {$cf} file!"); } - file_put_contents("{$cf}", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); } else { log_error("[squid] Template not found; could not generate '{$cf}' file!"); } // clamd.conf - // just make a copy of pfSense template, nothing configurable via GUI options here $cf = SQUID_LOCALBASE . "/etc/clamd.conf"; if (file_exists("{$cf}.pfsense")) { - copy("{$cf}.pfsense", "{$cf}"); + $sample_file = file_get_contents("{$cf}.pfsense"); + $clamd_m[0] = "@#This file was automatically generated by pfSense@"; + $clamd_r[0] = "#This file was automatically generated by pfSense WebGUI configuration"; + if (!file_put_contents("{$cf}", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save generated {$cf} file!"); + } } else { log_error("[squid] Template not found; could not generate '{$cf}' file!"); } @@ -406,8 +444,15 @@ function squid_antivirus_install_config_files() { $squidclamav_m[1] = "@/var/run/clamav/clamd.ctl@"; $squidclamav_r[1] = "/var/run/clamav/clamd.sock"; $squidclamav_m[2] = "@http\://proxy.domain.dom/cgi-bin/clwarn.cgi@"; - $squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php"; - file_put_contents("{$cf}.pfsense", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX); + $port = $config['system']['webgui']['port']; + if ($port == "") { + $squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php"; + } else { + $squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}:{$port}/squid_clwarn.php"; + } + if (!file_put_contents("{$cf}.pfsense", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save patched '{$cf}.pfsense' template file!"); + } } else { log_error("[squid] Could not patch '{$cf}' template file!"); } @@ -425,13 +470,15 @@ function squid_antivirus_install_config_files() { } $cicap_m[0] = "@# This file contains the default settings for c-icap@"; $cicap_r[0] = "#This file was automatically generated by pfSense"; + /* XXX: Bug #4615 + * Do NOT move the C-ICAP log anywhere, ever! It breaks C-ICAP in completely inexplicable ways, + * such as Error: [No Error] or 500 response codes. + */ $cicap_m[1] = "@DebugLevel\s1@"; $cicap_r[1] = "DebugLevel 0"; - $cicap_m[2] = "@AccessLog /var/log/c-icap/access.log@"; - $cicap_r[2] = "AccessLog /var/squid/logs/c-icap-access.log"; - $cicap_m[3] = "@ServerLog /var/log/c-icap/server.log@"; - $cicap_r[3] = "ServerLog /var/squid/logs/c-icap-server.log"; - file_put_contents("{$cf}.pfsense", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); + if (!file_put_contents("{$cf}.pfsense", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save patched '{$cf}.pfsense' template file!"); + } } else { log_error("[squid] Could not patch '{$cf}' template file!"); } @@ -460,7 +507,9 @@ function squid_antivirus_install_config_files() { $clamd_r[1] = ""; $clamd_m[2] = "@#Example@"; $clamd_r[2] = ""; - file_put_contents("{$cf}.pfsense", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX); + if (!file_put_contents("{$cf}.pfsense", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save patched '{$cf}.pfsense' template file!"); + } } else { log_error("[squid] Could not patch '{$cf}' template file!"); } @@ -479,7 +528,9 @@ function squid_antivirus_install_config_files() { $freshclam_r[1] = ""; $freshclam_m[2] = "@#Example@"; $freshclam_r[2] = ""; - file_put_contents("{$cf}.pfsense", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); + if (!file_put_contents("{$cf}.pfsense", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save patched '{$cf}.pfsense' template file!"); + } } else { log_error("[squid] - could not patch '{$cf}' template file!"); } @@ -614,8 +665,11 @@ function squid_antivirus_put_raw_config($rawfiles) { /* Helper function for squid_antivirus_put_raw_config() */ function squid_antivirus_write_conffile($dir, $file, $text) { if ($file && $text) { - file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX); - log_error("[squid] Saved '{$file}' configuration file."); + if (!file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX)) { + log_error("[squid] Could not save '{$file}' configuration file."); + } else { + log_error("[squid] Saved '{$file}' configuration file."); + } } } |