Regression #13827
closed
Suricata cron jobs persist after the package is uninstalled
100%
Description
Tested on 23.01.b.20221230.0600 with the latest package.
Uninstalling the package does not remove the cron jobs added when the service is configured/enabled. Similar to https://redmine.pfsense.org/issues/13817.
Updated by Jim Pingle almost 3 years ago
- Subject changed from Suricata cron jobs persist after the service is disabled or the package is uninstalled. to Suricata cron jobs persist after the service is disabled or the package is uninstalled
Updated by Marcos M almost 3 years ago
- Subject changed from Suricata cron jobs persist after the service is disabled or the package is uninstalled to Suricata cron jobs persist after the package is uninstalled
Updated by Bill Meeks almost 3 years ago
This was actually broken, it appears, 6 years ago by this commit: https://github.com/pfsense/pfsense/commit/b2bb49709d6d1cb845f2c7caf40bebe375ecb2d7.
This is broken in the Snort package as well. Both the Suricata and Snort packages are calling the pfSense function install_cron_job() in services.inc to remove their cron jobs, but neither package was ever updated to take into account the new "write config" parameter. The GUI package code had been continuing to assume the cron job was being removed from config.xml . There are likely several other packages similarly broken (I see pfBlockerNG has also been flagged).
I will modify Suricata to request a config write after removing its cron jobs. For Snort, I will create a separate ticket for tracking and then also make the required change there.
Updated by Bill Meeks almost 3 years ago
After some further investigation and testing, I'm not convinced the problem is within the package code. Instead, I believe this issue was introduced by a recent change to the install_cron_job() function in /etc/inc/services.inc to address a PHP 8.1 issue with direct $config array access.
The recent change added a call to config_get_path() inside of the array_splice() function call beginning on line 3492 of /etc/inc/services.inc . My understanding is config_get_path() returns a copy of the requested array element and not a direct reference to the array element. Therefore the array_splice() operation is removing the cron job from a copy of $config and not directly from $config as needed. So, on the call to configure_cron() a little farther down at line 3507, the unmodified actual $config array (with the cron job still in place) is written back to disk.
A test hack starting at line 3491 in the file /etc/inc/services.inc shown below fixes the issue:
if ($is_installed == true) {
$tmp = config_get_path('cron/item');
array_splice($tmp, $x, 1);
config_set_path('cron/item', $tmp);
// array_splice(config_get_path('cron/item'), $x, 1);
$change_message = "Removed cron job for %s";
Updated by Bill Meeks almost 3 years ago
I made some changes to the Suricata uninstall code to ensure all code paths perform config writes before exiting. Those changes are in this pull request: https://github.com/pfsense/FreeBSD-ports/pull/1212.
However, as stated in the comments earlier in this thread, the core issue with the persisting cron jobs is a change in the pfSense core function install_cron_job() that was made approximately 4 months ago to accommodate PHP 8.1.
This ticket can be marked resolved when the pull request listed is merged.
Updated by Jim Pingle almost 3 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
PR merged, thanks!