From bfba2284a7436d2ab844b455c6aeaca49b73a5de Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 15:33:26 +0200 Subject: Put in more logging, move AV service stop to a separate function, deinstall cleanup --- config/squid3/34/squid_antivirus.inc | 85 ++++++++++++++++++++++-------------- 1 file changed, 52 insertions(+), 33 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index 9a678fa9..0619549e 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -42,9 +42,11 @@ function squid_check_clamav_user() { return; } else { if (!exec("/usr/sbin/pw usershow clamav")) { + log_error("[squid] Adding clamav user."); mwexec("/usr/sbin/pw useradd clamav -G wheel -u 9595 -s /sbin/nologin"); } if (!exec("/usr/sbin/pw groupshow wheel | /usr/bin/grep clamav")) { + log_error("[squid] Adding clamav user to wheel group."); mwexec("/usr/sbin/pw usermod clamav -G wheel"); } } @@ -147,21 +149,10 @@ function squid_antivirus_install_command() { /* Run on Squid package uninstall */ function squid_antivirus_deinstall_command() { global $config, $keep; - /* kill all running services */ - if (is_process_running("c-icap")) { - mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); - } - mwexec("/bin/ps awux | /usr/bin/grep '[c]lamd' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + /* Stop all running services, remove rc scripts and cronjobs */ + squid_stop_antivirus(); mwexec("/bin/ps awux | /usr/bin/grep '[f]reshclam' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); - /* remove cronjobs */ - squid_install_freshclam_cron(false); - - /* delete rc scripts */ - unlink_if_exists('/usr/local/etc/rc.d/squid.sh'); - unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); - unlink_if_exists('/usr/local/etc/rc.d/clamd.sh'); - /* clean up created PBI symlinks */ update_output_window("Finishing package cleanup."); if (SQUID_LOCALBASE != '/usr/local') { @@ -656,11 +647,11 @@ function squid_antivirus_put_raw_config($rawfiles) { break; case 'raw_freshclam_conf': $confdir = ""; - $conffile = "freshclam.conf"; + $conffile = "/freshclam.conf"; break; case 'raw_clamd_conf': $confdir = ""; - $conffile = "clamd.conf"; + $conffile = "/clamd.conf"; break; default: $confdir = ""; @@ -677,10 +668,11 @@ function squid_antivirus_put_raw_config($rawfiles) { /* Helper function for squid_antivirus_put_raw_config() */ function squid_antivirus_write_conffile($dir, $file, $text) { if ($file && $text) { - if (!file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX)) { - log_error("[squid] Could not save '{$file}' configuration file."); + $cfgfile = SQUID_LOCALBASE . "/etc" . "{$dir}" . "{$file}"; + if (!file_put_contents("{$cfgfile}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX)) { + log_error("[squid] Could not save '{$cfgfile}' configuration file."); } else { - log_error("[squid] Saved '{$file}' configuration file."); + log_error("[squid] Saved '{$cfgfile}' configuration file."); } } } @@ -697,7 +689,7 @@ function squid_write_clamd_rcfile() { $rc['start'] = <<< EOD if [ ! -f /var/db/clamav/main.cvd -a ! -f /var/db/clamav/main.cld ]; then - echo "Missing /var/db/clamav/*.cvd or *.cld files. You must run freshclam first" + echo "Missing /var/db/clamav/*.cvd or *.cld files. You must run freshclam first!" exit 1 fi @@ -717,6 +709,7 @@ fi EOD; conf_mount_rw(); + log_error("[squid] Creating 'clamd.sh' rc script."); write_rcfile($rc); conf_mount_ro(); } @@ -730,6 +723,7 @@ function squid_write_cicap_rcfile() { $cicap_start_cmd = "LD_LIBRARY_PATH={$cicap_libdir} {$cicap_bin} -f {$cicap_conf}"; $cicap_stop_cmd = '/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'; conf_mount_rw(); + log_error("[squid] Creating '{$c_icap_rcfile}' rc script."); write_rcfile(array( "file" => "{$c_icap_rcfile}", "start" => "{$cicap_start_cmd}", @@ -739,7 +733,7 @@ function squid_write_cicap_rcfile() { conf_mount_ro(); } -/* (Re)start antivirus services if AV features are enabled; otherwise stop and disable them */ +/* (Re)start antivirus services if AV features are enabled */ function squid_restart_antivirus() { global $config; if (is_array($config['installedpackages']['squidantivirus'])) { @@ -751,6 +745,7 @@ function squid_restart_antivirus() { // reconfigure and (re)start service as needed if enabled, otherwise stop them // do not (re)start antivirus services on boot if (platform_booting()) { + log_error("[squid] Skipping antivirus services (re)start on boot."); return; } @@ -758,7 +753,7 @@ function squid_restart_antivirus() { // Check clamav database if (count(glob("/var/db/clamav/*d")) == 0) { log_error("[squid] Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam in background."); - log_error("[squid] Do NOT attempt to start ClamAV service until AV definitions are downloaded. Check /var/log/clamav/freshclam.log for progress information."); + log_error("[squid] Do NOT attempt to start ClamAV service until AV definitions are downloaded."); squid_update_clamav(); } elseif ($antivirus_config['clamav_safebrowsing'] == "on" && !is_file("/var/db/clamav/safebrowsing.cvd")) { log_error("[squid] Google Safe Browsing is enabled but missing safebrowsing.cvd definitions. Running freshclam in background."); @@ -789,31 +784,55 @@ function squid_restart_antivirus() { squid_write_cicap_rcfile(); } if (is_process_running("c-icap")) { + log_error("[squid] Reloading C-ICAP..."); mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); } else { + log_error("[squid] Starting C-ICAP..."); mwexec_bg("{$c_icap_rcfile} start"); } } else { // stop AV services and disable all C-ICAP/AV features log_error("[squid] Antivirus features disabled."); - if (is_process_running("clamd")) { - log_error("[squid] Stopping and disabling ClamAV..."); - mwexec("/usr/bin/killall clamd"); - } - unlink_if_exists("/usr/local/etc/rc.d/clamd.sh"); - - // freshclam cronjob - squid_install_freshclam_cron(false); + squid_stop_antivirus(); + } +} - // check c-icap rcfile +/* Stop AV services and disable all C-ICAP/AV features */ +function squid_stop_antivirus() { + // Stop C-ICAP + if (is_process_running("c-icap")) { + log_error("[squid] Stopping and disabling C-ICAP..."); + mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); + sleep(5); if (is_process_running("c-icap")) { - log_error("[squid] Stopping and disabling C-ICAP..."); - mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); + log_error("[squid] C-ICAP still running, forcibly killing c-icap process(es)."); + mwexec("/bin/ps awux | /usr/bin/grep '[c]-icap' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill -9"); + } + } + unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); + + // Stop ClamAV + if (is_process_running("clamd")) { + log_error("[squid] Stopping and disabling ClamAV..."); + mwexec("/usr/bin/killall clamd"); + // sleep for a couple of seconds to give clamd a chance to perform clean exit + for ($i = 0; $i < 10; $i++) { + if (is_process_running('clamd')) { + sleep(1); + } } - unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); } + if (is_process_running("clamd")) { + log_error("[squid] ClamAV still running, forcibly killing clamd process(es)."); + mwexec("/usr/bin/killall -9 clamd"); + } + unlink_if_exists("/usr/local/etc/rc.d/clamd.sh"); + + // Remove freshclam cronjob + squid_install_freshclam_cron(false); } + /* * Input validation */ -- cgit v1.2.3