aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordoktornotor <notordoktor@gmail.com>2015-10-11 15:52:35 +0200
committerdoktornotor <notordoktor@gmail.com>2015-10-11 15:52:35 +0200
commit64544441536552b858797a172148e058f3239115 (patch)
tree98bb951d26f8806e7890eb818903fcc072c14837
parent675b121ee2de4c1c430219053a9ba5f0d6a7e568 (diff)
downloadpfsense-packages-64544441536552b858797a172148e058f3239115.tar.gz
pfsense-packages-64544441536552b858797a172148e058f3239115.tar.bz2
pfsense-packages-64544441536552b858797a172148e058f3239115.zip
Squid3 - multiple antivirus fixes
- Stop moving C-ICAP logs, it completely breaks things for users in bizarre ways - Ditch the recursive chown madness on ClamAV/C-ICAP dirs. The C-ICAP socket/pid/logs are supposed to be owned by root:wheel, not clamav:wheel, this just should not be done. - Fix the broken squid_check_clamav_user() function and user handling in general; stop re-adding clamav user to wheel group over and over again. Also, clean up the wheel group on uninstall. - Put extensive error checking and debugging info to configuration files handling so that it's possible to debug things easily in future.
-rw-r--r--config/squid3/34/squid_antivirus.inc154
1 files changed, 104 insertions, 50 deletions
diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc
index 03b9e129..c6f128f1 100644
--- a/config/squid3/34/squid_antivirus.inc
+++ b/config/squid3/34/squid_antivirus.inc
@@ -37,16 +37,16 @@ require_once('config.inc');
*/
/* clamav user account hadling (only needed for PBI/pfSense <2.3) */
-function squid_check_clamav_user($user) {
+function squid_check_clamav_user() {
if (SQUID_BASE == '/usr/local') {
return;
- }
-
- $_gc = exec("/usr/sbin/pw usershow {$user}", $sq_ex_output, $sq_ex_return);
- $user_arg = ($sq_ex_return == 0 ? "mod" : "add");
- $_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin", $sq_ex_output, $sq_ex_return);
- if ($sq_ex_return != 0) {
- log_error("[squid] Could not change clamav user settings. " . serialize($sq_ex_output));
+ } else {
+ if (!exec("/usr/sbin/pw usershow clamav")) {
+ mwexec("/usr/sbin/pw useradd clamav -G wheel -u 9595 -s /sbin/nologin");
+ }
+ if (!exec("/usr/sbin/pw groupshow wheel | /usr/bin/grep clamav")) {
+ mwexec("/usr/sbin/pw usermod clamav -G wheel");
+ }
}
}
@@ -61,7 +61,8 @@ function squid_check_antivirus_dirs() {
);
foreach ($dirs as $dir_path => $dir_user) {
safe_mkdir($dir_path, 0755);
- squid_chown_recursive($dir_path, $dir_user, "wheel");
+ chown($dir_path, $dir_user);
+ chgrp($dir_path, "wheel");
}
}
@@ -125,7 +126,16 @@ function squid_antivirus_install_command() {
symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3");
}
- // check dirs
+ // remove dirs with possibly broken file permissions after previous versions
+ $dirs = array("/var/run/c-icap", "/var/log/c-icap");
+ foreach ($dirs as $dir) {
+ if (is_dir("{$dir}")) {
+ mwexec("/bin/rm -rf {$dir}");
+ }
+ }
+
+ // create required dirs and set up clamav user if needed
+ squid_check_clamav_user();
squid_check_antivirus_dirs();
// remove unwanted PBI rc scripts
@@ -136,6 +146,7 @@ function squid_antivirus_install_command() {
/* Run on Squid package uninstall */
function squid_antivirus_deinstall_command() {
+ global $config, $keep;
/* kill all running services */
if (is_process_running("c-icap")) {
mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl');
@@ -183,6 +194,21 @@ function squid_antivirus_deinstall_command() {
}
}
+ /* clean up user/groups if needed */
+ if (SQUID_BASE == '/usr/local') {
+ return;
+ } else {
+ if (exec("/usr/sbin/pw groupshow wheel | /usr/bin/grep clamav")) {
+ mwexec("/usr/sbin/pw groupmod wheel -d clamav");
+ }
+ if (exec("/usr/sbin/pw usershow clamav")) {
+ mwexec("/usr/sbin/pw userdel clamav");
+ }
+ if (exec("/usr/sbin/pw groupshow clamav")) {
+ mwexec("/usr/sbin/pw groupdel clamav");
+ }
+ }
+
/* check if clamav/c_icap is enabled in rc.conf.local */
// XXX: This hasn't been used since 0.3.7; to be removed in future
if (file_exists("/etc/rc.conf.local")) {
@@ -219,7 +245,7 @@ function squid_antivirus_deinstall_command() {
/* Proxy Server: Antivirus configuration handler */
function squid_resync_antivirus() {
- global $config;
+ global $config, $antivirus_config;
if (is_array($config['installedpackages']['squidantivirus'])) {
$antivirus_config = $config['installedpackages']['squidantivirus']['config'][0];
@@ -266,7 +292,7 @@ adaptation_access service_avi_resp allow all
EOF;
// check clamav user and dirs
- squid_check_clamav_user('clamav');
+ squid_check_clamav_user();
squid_check_antivirus_dirs();
if ($antivirus_config['enable_advanced'] == "enabled") {
@@ -290,15 +316,20 @@ EOF;
$cf = SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf";
if (file_exists("{$cf}.pfsense")) {
$sample_file = file_get_contents("{$cf}.pfsense");
+ $squidclamav_m[0] = "@#This file was automatically generated by pfSense@";
+ $squidclamav_r[0] = "#This file was automatically generated by pfSense WebGUI configuration";
if ($antivirus_config['clamav_safebrowsing'] == "on") {
- $squidclamav_m[0] = "@safebrowsing\s0@";
- $squidclamav_r[0] = "safebrowsing 1";
+ $squidclamav_m[1] = "@safebrowsing\s0@";
+ $squidclamav_r[1] = "safebrowsing 1";
}
if ($antivirus_config['clamav_url'] != "") {
- $squidclamav_m[1] = "@redirect http@";
- $squidclamav_r[1] = "{$antivirus_config['clamav_url']}";
+ $squidclamav_m[2] = "@redirect http@";
+ $squidclamav_r[2] = "{$antivirus_config['clamav_url']}";
+ }
+ /* Trying to overwrite squidclamav.conf via file_put_contents() may fail when Squid is running */
+ if (!file_put_contents("{$cf}", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX)) {
+ log_error("[squid] Could not save generated {$cf} file!");
}
- file_put_contents("{$cf}", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX);
} else {
log_error("[squid] Template not found; could not generate '{$cf}' file!");
}
@@ -310,20 +341,17 @@ EOF;
if (!preg_match("/squid_clamav/", $sample_file)) {
$sample_file .= "\nService squid_clamav squidclamav.so\n";
}
- // XXX: Bug #4615
- if (is_array($config['installedpackages']['squid'])) {
- $squidsettings = $config['installedpackages']['squid']['config'][0];
- } else {
- $squidsettings = array();
+ /* XXX: Bug #4615
+ * Do NOT move the C-ICAP log anywhere, ever! It breaks C-ICAP in completely inexplicable ways,
+ * such as Error: [No Error] or 500 response codes.
+ */
+ $cicap_m[0] = "@#This file was automatically generated by pfSense@";
+ $cicap_r[0] = "#This file was automatically generated by pfSense WebGUI configuration";
+ $cicap_m[1] = "@DebugLevel\s1@";
+ $cicap_r[1] = "DebugLevel 0";
+ if (!file_put_contents("{$cf}", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX)) {
+ log_error("[squid] Could not save generated {$cf} file!");
}
- $logdir = ($squidsettings['log_dir'] ? $squidsettings['log_dir'] : '/var/squid/logs');
- $cicap_m[0] = "@DebugLevel\s1@";
- $cicap_r[0] = "DebugLevel 0";
- $cicap_m[1] = "@AccessLog /var/squid/logs/c-icap-access.log@";
- $cicap_r[1] = "AccessLog {$logdir}/c-icap-access.log";
- $cicap_m[2] = "@ServerLog /var/squid/logs/c-icap-server.log@";
- $cicap_r[2] = "ServerLog {$logdir}/c-icap-server.log";
- file_put_contents("{$cf}", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX);
} else {
log_error("[squid] Template not found; could not generate '{$cf}' file!");
}
@@ -332,15 +360,19 @@ EOF;
// just make a copy of pfSense template, nothing configurable via GUI options here
$cf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic";
if (file_exists("{$cf}.pfsense")) {
- copy("{$cf}.pfsense", "{$cf}");
+ if (!copy("{$cf}.pfsense", "{$cf}")) {
+ log_error("[squid] Could not save {$cf} file!");
+ }
} else {
- log_error("[squid] Template not found; could not generate '{$cf}' file!");
+ log_error("[squid] Template not found; could not save '{$cf}' file!");
}
// freshclam.conf
$cf = SQUID_LOCALBASE . "/etc/freshclam.conf";
if (file_exists("{$cf}.pfsense")) {
$sample_file = file_get_contents("{$cf}.pfsense");
+ $freshclam_m[0] = "@#This file was automatically generated by pfSense@";
+ $freshclam_r[0] = "#This file was automatically generated by pfSense WebGUI configuration";
$clamav_mirrors = "";
if ($antivirus_config['clamav_dbregion'] != "") {
$clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n";
@@ -351,23 +383,29 @@ EOF;
}
}
if ($clamav_mirrors != "") {
- $freshclam_m[0] = "@#DatabaseMirror db.XY.clamav.net@";
- $freshclam_r[0] = "{$clamav_mirrors}";
+ $freshclam_m[1] = "@#DatabaseMirror db.XY.clamav.net@";
+ $freshclam_r[1] = "{$clamav_mirrors}";
}
if ($antivirus_config['clamav_safebrowsing'] == "on") {
- $freshclam_m[1] = "@#SafeBrowsing yes@";
- $freshclam_r[1] = "SafeBrowsing yes";
+ $freshclam_m[2] = "@#SafeBrowsing yes@";
+ $freshclam_r[2] = "SafeBrowsing yes";
+ }
+ if (!file_put_contents("{$cf}", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX)) {
+ log_error("[squid] Could not save generated {$cf} file!");
}
- file_put_contents("{$cf}", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX);
} else {
log_error("[squid] Template not found; could not generate '{$cf}' file!");
}
// clamd.conf
- // just make a copy of pfSense template, nothing configurable via GUI options here
$cf = SQUID_LOCALBASE . "/etc/clamd.conf";
if (file_exists("{$cf}.pfsense")) {
- copy("{$cf}.pfsense", "{$cf}");
+ $sample_file = file_get_contents("{$cf}.pfsense");
+ $clamd_m[0] = "@#This file was automatically generated by pfSense@";
+ $clamd_r[0] = "#This file was automatically generated by pfSense WebGUI configuration";
+ if (!file_put_contents("{$cf}", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX)) {
+ log_error("[squid] Could not save generated {$cf} file!");
+ }
} else {
log_error("[squid] Template not found; could not generate '{$cf}' file!");
}
@@ -406,8 +444,15 @@ function squid_antivirus_install_config_files() {
$squidclamav_m[1] = "@/var/run/clamav/clamd.ctl@";
$squidclamav_r[1] = "/var/run/clamav/clamd.sock";
$squidclamav_m[2] = "@http\://proxy.domain.dom/cgi-bin/clwarn.cgi@";
- $squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php";
- file_put_contents("{$cf}.pfsense", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX);
+ $port = $config['system']['webgui']['port'];
+ if ($port == "") {
+ $squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php";
+ } else {
+ $squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}:{$port}/squid_clwarn.php";
+ }
+ if (!file_put_contents("{$cf}.pfsense", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX)) {
+ log_error("[squid] Could not save patched '{$cf}.pfsense' template file!");
+ }
} else {
log_error("[squid] Could not patch '{$cf}' template file!");
}
@@ -425,13 +470,15 @@ function squid_antivirus_install_config_files() {
}
$cicap_m[0] = "@# This file contains the default settings for c-icap@";
$cicap_r[0] = "#This file was automatically generated by pfSense";
+ /* XXX: Bug #4615
+ * Do NOT move the C-ICAP log anywhere, ever! It breaks C-ICAP in completely inexplicable ways,
+ * such as Error: [No Error] or 500 response codes.
+ */
$cicap_m[1] = "@DebugLevel\s1@";
$cicap_r[1] = "DebugLevel 0";
- $cicap_m[2] = "@AccessLog /var/log/c-icap/access.log@";
- $cicap_r[2] = "AccessLog /var/squid/logs/c-icap-access.log";
- $cicap_m[3] = "@ServerLog /var/log/c-icap/server.log@";
- $cicap_r[3] = "ServerLog /var/squid/logs/c-icap-server.log";
- file_put_contents("{$cf}.pfsense", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX);
+ if (!file_put_contents("{$cf}.pfsense", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX)) {
+ log_error("[squid] Could not save patched '{$cf}.pfsense' template file!");
+ }
} else {
log_error("[squid] Could not patch '{$cf}' template file!");
}
@@ -460,7 +507,9 @@ function squid_antivirus_install_config_files() {
$clamd_r[1] = "";
$clamd_m[2] = "@#Example@";
$clamd_r[2] = "";
- file_put_contents("{$cf}.pfsense", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX);
+ if (!file_put_contents("{$cf}.pfsense", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX)) {
+ log_error("[squid] Could not save patched '{$cf}.pfsense' template file!");
+ }
} else {
log_error("[squid] Could not patch '{$cf}' template file!");
}
@@ -479,7 +528,9 @@ function squid_antivirus_install_config_files() {
$freshclam_r[1] = "";
$freshclam_m[2] = "@#Example@";
$freshclam_r[2] = "";
- file_put_contents("{$cf}.pfsense", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX);
+ if (!file_put_contents("{$cf}.pfsense", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX)) {
+ log_error("[squid] Could not save patched '{$cf}.pfsense' template file!");
+ }
} else {
log_error("[squid] - could not patch '{$cf}' template file!");
}
@@ -614,8 +665,11 @@ function squid_antivirus_put_raw_config($rawfiles) {
/* Helper function for squid_antivirus_put_raw_config() */
function squid_antivirus_write_conffile($dir, $file, $text) {
if ($file && $text) {
- file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX);
- log_error("[squid] Saved '{$file}' configuration file.");
+ if (!file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX)) {
+ log_error("[squid] Could not save '{$file}' configuration file.");
+ } else {
+ log_error("[squid] Saved '{$file}' configuration file.");
+ }
}
}