Squid3 - multiple antivirus fixes

- Stop moving C-ICAP logs, it completely breaks things for users in bizarre ways
- Ditch the recursive chown madness on ClamAV/C-ICAP dirs. The C-ICAP socket/pid/logs are supposed to be owned by root:wheel, not clamav:wheel, this just should not be done.
- Fix the broken squid_check_clamav_user() function and user handling in general; stop re-adding clamav user to wheel group over and over again. Also, clean up the wheel group on uninstall.
- Put extensive error checking and debugging info to configuration files handling so that it's possible to debug things easily in future.

1 files changed, 104 insertions, 50 deletions

diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc
index 03b9e129..c6f128f1 100644
--- a/config/squid3/34/squid_antivirus.inc
+++ b/config/squid3/34/squid_antivirus.inc
@@ -37,16 +37,16 @@ require_once('config.inc');
  */
 
 /* clamav user account hadling (only needed for PBI/pfSense <2.3) */
-function squid_check_clamav_user($user) {
+function squid_check_clamav_user() {
 	if (SQUID_BASE == '/usr/local') {
 		return;
-	}
-
-	$_gc = exec("/usr/sbin/pw usershow {$user}", $sq_ex_output, $sq_ex_return);
-	$user_arg = ($sq_ex_return == 0 ? "mod" : "add");
-	$_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin", $sq_ex_output, $sq_ex_return);
-	if ($sq_ex_return != 0) {
-		log_error("[squid] Could not change clamav user settings. " . serialize($sq_ex_output));
+	} else {
+		if (!exec("/usr/sbin/pw usershow clamav")) {
+			mwexec("/usr/sbin/pw useradd clamav -G wheel -u 9595 -s /sbin/nologin");
+		}
+		if (!exec("/usr/sbin/pw groupshow wheel | /usr/bin/grep clamav")) {
+			mwexec("/usr/sbin/pw usermod clamav -G wheel");
+		}
 	}
 }
 
@@ -61,7 +61,8 @@ function squid_check_antivirus_dirs() {
 	);
 	foreach ($dirs as $dir_path => $dir_user) {
 		safe_mkdir($dir_path, 0755);
-		squid_chown_recursive($dir_path, $dir_user, "wheel");
+		chown($dir_path, $dir_user);
+		chgrp($dir_path, "wheel");
 	}
 }
 
@@ -125,7 +126,16 @@ function squid_antivirus_install_command() {
 		symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3");
 	}
 
-	// check dirs
+	// remove dirs with possibly broken file permissions after previous versions
+	$dirs = array("/var/run/c-icap", "/var/log/c-icap");
+	foreach ($dirs as $dir) {
+		if (is_dir("{$dir}")) {
+			mwexec("/bin/rm -rf {$dir}");
+		}
+	}
+
+	// create required dirs and set up clamav user if needed
+	squid_check_clamav_user();
 	squid_check_antivirus_dirs();
 
 	// remove unwanted PBI rc scripts
@@ -136,6 +146,7 @@ function squid_antivirus_install_command() {
 
 /* Run on Squid package uninstall */
 function squid_antivirus_deinstall_command() {
+	global $config, $keep;
 	/* kill all running services */
 	if (is_process_running("c-icap")) {
 		mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl');
@@ -183,6 +194,21 @@ function squid_antivirus_deinstall_command() {
 		}
 	}
 
+	/* clean up user/groups if needed */
+	if (SQUID_BASE == '/usr/local') {
+		return;
+	} else {
+		if (exec("/usr/sbin/pw groupshow wheel | /usr/bin/grep clamav")) {
+			mwexec("/usr/sbin/pw groupmod wheel -d clamav");
+		}
+		if (exec("/usr/sbin/pw usershow clamav")) {
+			mwexec("/usr/sbin/pw userdel clamav");
+		}
+		if (exec("/usr/sbin/pw groupshow clamav")) {
+			mwexec("/usr/sbin/pw groupdel clamav");
+		}
+	}
+
 	/* check if clamav/c_icap is enabled in rc.conf.local */
 	// XXX: This hasn't been used since 0.3.7; to be removed in future
 	if (file_exists("/etc/rc.conf.local")) {
@@ -219,7 +245,7 @@ function squid_antivirus_deinstall_command() {
 
 /* Proxy Server: Antivirus configuration handler */
 function squid_resync_antivirus() {
-	global $config;
+	global $config, $antivirus_config;
 
 	if (is_array($config['installedpackages']['squidantivirus'])) {
 		$antivirus_config = $config['installedpackages']['squidantivirus']['config'][0];
@@ -266,7 +292,7 @@ adaptation_access service_avi_resp allow all
 EOF;
 
 		// check clamav user and dirs
-		squid_check_clamav_user('clamav');
+		squid_check_clamav_user();
 		squid_check_antivirus_dirs();
 
 		if ($antivirus_config['enable_advanced'] == "enabled") {
@@ -290,15 +316,20 @@ EOF;
 			$cf = SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf";
 			if (file_exists("{$cf}.pfsense")) {
 				$sample_file = file_get_contents("{$cf}.pfsense");
+				$squidclamav_m[0] = "@#This file was automatically generated by pfSense@";
+				$squidclamav_r[0] = "#This file was automatically generated by pfSense WebGUI configuration";
 				if ($antivirus_config['clamav_safebrowsing'] == "on") {
-					$squidclamav_m[0] = "@safebrowsing\s0@";
-					$squidclamav_r[0] = "safebrowsing 1";
+					$squidclamav_m[1] = "@safebrowsing\s0@";
+					$squidclamav_r[1] = "safebrowsing 1";
 				}
 				if ($antivirus_config['clamav_url'] != "") {
-					$squidclamav_m[1] = "@redirect http@";
-					$squidclamav_r[1] = "{$antivirus_config['clamav_url']}";
+					$squidclamav_m[2] = "@redirect http@";
+					$squidclamav_r[2] = "{$antivirus_config['clamav_url']}";
+				}
+				/* Trying to overwrite squidclamav.conf via file_put_contents() may fail when Squid is running */
+				if (!file_put_contents("{$cf}", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX)) {
+					log_error("[squid] Could not save generated {$cf} file!");
 				}
-				file_put_contents("{$cf}", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX);
 			} else {
 				log_error("[squid] Template not found; could not generate '{$cf}' file!");
 			}
@@ -310,20 +341,17 @@ EOF;
 				if (!preg_match("/squid_clamav/", $sample_file)) {
 					$sample_file .= "\nService squid_clamav squidclamav.so\n";
 				}
-				// XXX: Bug #4615
-				if (is_array($config['installedpackages']['squid'])) {
-					$squidsettings = $config['installedpackages']['squid']['config'][0];
-				} else {
-					$squidsettings = array();
+				/* XXX: Bug #4615
+				 * Do NOT move the C-ICAP log anywhere, ever! It breaks C-ICAP in completely inexplicable ways,
+				 * such as Error: [No Error] or 500 response codes.
+				 */
+				$cicap_m[0] = "@#This file was automatically generated by pfSense@";
+				$cicap_r[0] = "#This file was automatically generated by pfSense WebGUI configuration";
+				$cicap_m[1] = "@DebugLevel\s1@";
+				$cicap_r[1] = "DebugLevel 0";
+				if (!file_put_contents("{$cf}", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX)) {
+					log_error("[squid] Could not save generated {$cf} file!");
 				}
-				$logdir = ($squidsettings['log_dir'] ? $squidsettings['log_dir'] : '/var/squid/logs');
-				$cicap_m[0] = "@DebugLevel\s1@";
-				$cicap_r[0] = "DebugLevel 0";
-				$cicap_m[1] = "@AccessLog /var/squid/logs/c-icap-access.log@";
-				$cicap_r[1] = "AccessLog {$logdir}/c-icap-access.log";
-				$cicap_m[2] = "@ServerLog /var/squid/logs/c-icap-server.log@";
-				$cicap_r[2] = "ServerLog {$logdir}/c-icap-server.log";
-				file_put_contents("{$cf}", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX);
 			} else {
 				log_error("[squid] Template not found; could not generate '{$cf}' file!");
 			}
@@ -332,15 +360,19 @@ EOF;
 			// just make a copy of pfSense template, nothing configurable via GUI options here
 			$cf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic";
 			if (file_exists("{$cf}.pfsense")) {
-				copy("{$cf}.pfsense", "{$cf}");
+				if (!copy("{$cf}.pfsense", "{$cf}")) {
+					log_error("[squid] Could not save {$cf} file!");
+				}
 			} else {
-				log_error("[squid] Template not found; could not generate '{$cf}' file!");
+				log_error("[squid] Template not found; could not save '{$cf}' file!");
 			}
 
 			// freshclam.conf
 			$cf = SQUID_LOCALBASE . "/etc/freshclam.conf";
 			if (file_exists("{$cf}.pfsense")) {
 				$sample_file = file_get_contents("{$cf}.pfsense");
+				$freshclam_m[0] = "@#This file was automatically generated by pfSense@";
+				$freshclam_r[0] = "#This file was automatically generated by pfSense WebGUI configuration";
 				$clamav_mirrors = "";
 				if ($antivirus_config['clamav_dbregion'] != "") {
 					$clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n";
@@ -351,23 +383,29 @@ EOF;
 					}
 				}
 				if ($clamav_mirrors != "") {
-					$freshclam_m[0] = "@#DatabaseMirror db.XY.clamav.net@";
-					$freshclam_r[0] = "{$clamav_mirrors}";
+					$freshclam_m[1] = "@#DatabaseMirror db.XY.clamav.net@";
+					$freshclam_r[1] = "{$clamav_mirrors}";
 				}
 				if ($antivirus_config['clamav_safebrowsing'] == "on") {
-					$freshclam_m[1] = "@#SafeBrowsing yes@";
-					$freshclam_r[1] = "SafeBrowsing yes";
+					$freshclam_m[2] = "@#SafeBrowsing yes@";
+					$freshclam_r[2] = "SafeBrowsing yes";
+				}
+				if (!file_put_contents("{$cf}", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX)) {
+					log_error("[squid] Could not save generated {$cf} file!");
 				}
-				file_put_contents("{$cf}", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX);
 			} else {
 				log_error("[squid] Template not found; could not generate '{$cf}' file!");
 			}
 
 			// clamd.conf
-			// just make a copy of pfSense template, nothing configurable via GUI options here
 			$cf = SQUID_LOCALBASE . "/etc/clamd.conf";
 			if (file_exists("{$cf}.pfsense")) {
-				copy("{$cf}.pfsense", "{$cf}");
+				$sample_file = file_get_contents("{$cf}.pfsense");
+				$clamd_m[0] = "@#This file was automatically generated by pfSense@";
+				$clamd_r[0] = "#This file was automatically generated by pfSense WebGUI configuration";
+				if (!file_put_contents("{$cf}", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX)) {
+					log_error("[squid] Could not save generated {$cf} file!");
+				}
 			} else {
 				log_error("[squid] Template not found; could not generate '{$cf}' file!");
 			}
@@ -406,8 +444,15 @@ function squid_antivirus_install_config_files() {
 		$squidclamav_m[1] = "@/var/run/clamav/clamd.ctl@";
 		$squidclamav_r[1] = "/var/run/clamav/clamd.sock";
 		$squidclamav_m[2] = "@http\://proxy.domain.dom/cgi-bin/clwarn.cgi@";
-		$squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php";
-		file_put_contents("{$cf}.pfsense", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX);
+		$port = $config['system']['webgui']['port'];
+		if ($port == "") {
+			$squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php";
+		} else {
+			$squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}:{$port}/squid_clwarn.php";
+		}
+		if (!file_put_contents("{$cf}.pfsense", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX)) {
+			log_error("[squid] Could not save patched '{$cf}.pfsense' template file!");
+		}
 	} else {
 		log_error("[squid] Could not patch '{$cf}' template file!");
 	}
@@ -425,13 +470,15 @@ function squid_antivirus_install_config_files() {
 		}
 		$cicap_m[0] = "@# This file contains the default settings for c-icap@";
 		$cicap_r[0] = "#This file was automatically generated by pfSense";
+		/* XXX: Bug #4615
+		 * Do NOT move the C-ICAP log anywhere, ever! It breaks C-ICAP in completely inexplicable ways,
+		 * such as Error: [No Error] or 500 response codes.
+		 */
 		$cicap_m[1] = "@DebugLevel\s1@";
 		$cicap_r[1] = "DebugLevel 0";
-		$cicap_m[2] = "@AccessLog /var/log/c-icap/access.log@";
-		$cicap_r[2] = "AccessLog /var/squid/logs/c-icap-access.log";
-		$cicap_m[3] = "@ServerLog /var/log/c-icap/server.log@";
-		$cicap_r[3] = "ServerLog /var/squid/logs/c-icap-server.log";
-		file_put_contents("{$cf}.pfsense", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX);
+		if (!file_put_contents("{$cf}.pfsense", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX)) {
+			log_error("[squid] Could not save patched '{$cf}.pfsense' template file!");
+		}
 	} else {
 		log_error("[squid] Could not patch '{$cf}' template file!");
 	}
@@ -460,7 +507,9 @@ function squid_antivirus_install_config_files() {
 		$clamd_r[1] = "";
 		$clamd_m[2] = "@#Example@";
 		$clamd_r[2] = "";
-		file_put_contents("{$cf}.pfsense", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX);
+		if (!file_put_contents("{$cf}.pfsense", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX)) {
+			log_error("[squid] Could not save patched '{$cf}.pfsense' template file!");
+		}
 	} else {
 		log_error("[squid] Could not patch '{$cf}' template file!");
 	}
@@ -479,7 +528,9 @@ function squid_antivirus_install_config_files() {
 		$freshclam_r[1] = "";
 		$freshclam_m[2] = "@#Example@";
 		$freshclam_r[2] = "";
-		file_put_contents("{$cf}.pfsense", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX);
+		if (!file_put_contents("{$cf}.pfsense", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX)) {
+			log_error("[squid] Could not save patched '{$cf}.pfsense' template file!");
+		}
 	} else {
 		log_error("[squid] - could not patch '{$cf}' template file!");
 	}
@@ -614,8 +665,11 @@ function squid_antivirus_put_raw_config($rawfiles) {
 /* Helper function for squid_antivirus_put_raw_config() */
 function squid_antivirus_write_conffile($dir, $file, $text) {
 	if ($file && $text) {
-		file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX);
-		log_error("[squid] Saved '{$file}' configuration file.");
+		if (!file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX)) {
+			log_error("[squid] Could not save '{$file}' configuration file.");
+		} else {
+			log_error("[squid] Saved '{$file}' configuration file.");
+		}
 	}
 }