Univention Bugzilla – Bug 39061
Make evaluation order of global blacklist configurable
Last modified: 2015-10-12 10:08:09 CEST
Currently the global blacklist in squidguard has higher priority than every other setting/rule, so teachers and school admins are not able to overrule the global blacklist. At least one school asked for the possibility to overrule the global blacklist via computerroom settings. To achieve this, the order of black/white list within the squidguard config has to be changed. Current orders: pass !global-blacklist whitelist-%s none pass !global-blacklist !blacklist-%s all pass !global-blacklist whitelist-%s !blacklist-%s all pass !global-blacklist whitelist-%(username)s none pass !global-blacklist !blacklist-%(username)s all The lines without whitelist are not affected. We should add a UCR variable that moves "!global-blacklist" from current position just right of the whitelist entry resp. removing the entry: pass whitelist-%s none pass whitelist-%s !blacklist-%s !global-blacklist all pass whitelist-%(username)s none
The new UCR variable proxy/filter/global/blacklists/forced has been added to the package ucs-school-webproxy. The current behaviour is achieved by setting the variable to "yes": the global blacklist is evaluated before any other blacklists/whitelists. The new default is "no": the global blacklist may be overruled by any whitelist by the user/admin. The following cases have been tested: - set custom whitelist for a specific room via UMC module "computerroom" - set whitelist for a class via UMC module "assign internet rules" - default whitelist (only via UCR; not in use in UCS@school) The following diff of /etc/squidguard/squidguard.conf between forced and normal external blacklists was made with a user-specific whitelist for room "Raum3" and a custom whitelist for group "Igel" of school "gsmitte". -------[cut]---------- acl { room-Raum3 { - pass !global-blacklist whitelist-Administrator-user none + pass whitelist-Administrator-user none redirect http://master30.nstx.local/blocked-by-squid.html } usergroup-gsmitte-2d1B { pass !global-blacklist !blacklist-Einiges-2dNicht all redirect http://master30.nstx.local/blocked-by-squid.html } usergroup-gsmitte-2dIgel { - pass !global-blacklist whitelist-Kein-20Internet none + pass whitelist-Kein-20Internet none redirect http://master30.nstx.local/blocked-by-squid.html } default { - pass !global-blacklist whitelist !blacklist all + pass whitelist !blacklist !global-blacklist all redirect http://master30.nstx.local/blocked-by-squid.html } } -------[cut]---------- The manual has been updated accordingly. univention-spellcheck (0.1-1): r63845 | Bug #39061: updated spell checker dict NONE: r63846 | Bug #39061: updated manual r63844 | Bug #39061: updated adminstrator manual ucs-school-webproxy (11.0.8-1): r63852 | Bug #39061: fixed format strings r63843 | Bug #39061: add configuration option for evaluation order of global blacklist ucs-test-ucsschool (2.0.53-1): r63854 | Bug #39061: updated 11_squidguard_assign_rule_to_2_rooms due to changes regarding global blacklists The app center is going to be updated.
The package has been published to app repo ucsschool_devel.
OK: UCR does what it should: UCRV proxy/filter/global/blacklists/forced no→yes: # diff -u /etc/squidguard/squidGuard.conf.forced_no /etc/squidguard/squidGuard.conf.forced_yes --- /etc/squidguard/squidGuard.conf.forced_no 2015-10-08 14:47:52.474775061 +0200 +++ /etc/squidguard/squidGuard.conf.forced_yes 2015-10-08 14:47:27.886492832 +0200 @@ -62,12 +62,12 @@ acl { usergroup-schule01-2d1A { - pass whitelist-allow-20wikipedia none + pass !global-blacklist whitelist-allow-20wikipedia none redirect http://master31s4.uni.dtr/blocked-by-squid.html } default { - pass whitelist !blacklist !global-blacklist all + pass !global-blacklist whitelist !blacklist all redirect http://master31s4.uni.dtr/blocked-by-squid.html } } Code in commits OK: r63843, r63844, r63845, r63846, r63852, r63854 Automatic tests OK: * ucs-test -s proxy -E dangerous * /usr/share/ucs-test/90_ucsschool# for CHECK in 09_define_internet_rules_check 10_assign_internet_rules_check 11_squidguard_assign_rule_to_2_rooms 14_http_proxy_basic_auth_check 15_http_proxy_multi_auth_check 17_http_proxy_auth_after_passwd_reset_check; \ do ./$CHECK -f || break; done
Please note the change of the default evaluation order in the UPDATE text.
(In reply to Daniel Tröder from comment #4) > Please note the change of the default evaluation order in the UPDATE text. → DONE UCS@school 4.0 R2 v2 has been released. If this issue occurs again, please use "Clone This Bug".