Bug 30553 – Change default group behavior for squid and dansguardian

Bug 30553 - Change default group behavior for squid and dansguardian


Summary:	Change default group behavior for squid and dansguardian

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Squid
Version:	UCS 3.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.1-1
Assigned To:	Erik Damrose
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:	30969
	Show dependency tree / graph

Reported:	2013-02-22 10:27 CET by Erik Damrose
Modified:	2013-04-03 11:23 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2013-02-22 10:27:08 CET

Currently when activating any squid auth mechanism squid/auth/groups is checked and defaults to true, resulting in limiting squid usage to the default group www-access. This should be changed: By default no group memberships should be evaluated, and the default grouplist should be empty. 

Groups are defined in squid/ldapauth/groups. This is inconsistent and should be moved to squid/auth/allowed_groups.

Dansguardians default config is based around the group www-access too, assigning all users to that groups rules by default. This default group should be renamed to defaultgroup.

Comment 1 Erik Damrose

2013-02-22 14:34:54 CET

Fixed in rev 39207 and 39205
univention-squid 6.0.6-1 and univention-dansguardian 6.0.2-1

Comment 2 Felix Botner

2013-03-11 12:26:46 CET

squid:

I think the update for squid/ldapauth/groups to squid/auth/allowed_groups in univention-squid.postinst could be a little improved:

if is_ucr_true squid/basicauth || is_ucr_true squid/ntlmauth || is_ucr_true squid/krb5auth; then
        if [ -z "$(ucr get squid/auth/groups)" ] || is_ucr_true squid/auth/groups; then
                echo "squid/auth/allowed_groups = squid/ldapauth/groups || www-access"
        fi
fi
ucr unset squid/auth/groups squid/ldapauth/groups


dansguardian:

still find www-access in the dansguardian config:
grep -r www-access *
conffiles/etc/dansguardian/lists/filtergroupslist:groups = configRegistry.get( 'dansguardian/groups', 'www-access' ).split( ';' )

Comment 3 Felix Botner

2013-03-11 13:11:12 CET

squid:

univention-squid.postinst: squid/auth/allowed_groups?""

Is this necessary?

Comment 4 Felix Botner

2013-03-11 13:37:15 CET

dansguardian:

What is 'web-access' used for?

grep -r web-acc *
conffiles/etc/dansguardian/dansguardian.conf:groups = configRegistry.get( 'dansguardian/groups', 'web-access' )
conffiles/dansguardian-filtergroups.py: groups = configRegistry.get( 'dansguardian/groups', 'web-access' ).split( ';' )

Comment 5 Erik Damrose

2013-03-15 13:03:50 CET

Remainging references to www-access have been removed
the univention.squid postinst script has been improved

rev 39624 univention-dansguardian 6.0.3-3
rev 39623 univention-squid 6.0.7-1

Comment 6 Felix Botner

2013-03-15 14:49:29 CET

OK 

Changelog entry exists.

Comment 7 Stefan Gohmann

2013-03-25 19:56:36 CET

UCS 3.1-1 has been released: 
 http://download.univention.de/doc/release-notes-3.1-1_en.pdf
 http://download.univention.de/doc/release-notes-3.1-1.pdf

If this error occurs again, please use "Clone This Bug".