Univention Bugzilla – Bug 39061
Make evaluation order of global blacklist configurable
Last modified: 2015-10-12 10:08:09 CEST
Currently the global blacklist in squidguard has higher priority than every other setting/rule, so teachers and school admins are not able to overrule the global blacklist.
At least one school asked for the possibility to overrule the global blacklist via computerroom settings. To achieve this, the order of black/white list within the squidguard config has to be changed. Current orders:
pass !global-blacklist whitelist-%s none
pass !global-blacklist !blacklist-%s all
pass !global-blacklist whitelist-%s !blacklist-%s all
pass !global-blacklist whitelist-%(username)s none
pass !global-blacklist !blacklist-%(username)s all
The lines without whitelist are not affected. We should add a UCR variable that moves "!global-blacklist" from current position just right of the whitelist entry resp. removing the entry:
pass whitelist-%s none
pass whitelist-%s !blacklist-%s !global-blacklist all
pass whitelist-%(username)s none
The new UCR variable proxy/filter/global/blacklists/forced has been added to the package ucs-school-webproxy. The current behaviour is achieved by setting the variable to "yes": the global blacklist is evaluated before any other blacklists/whitelists.
The new default is "no": the global blacklist may be overruled by any whitelist by the user/admin.
The following cases have been tested:
- set custom whitelist for a specific room via UMC module "computerroom"
- set whitelist for a class via UMC module "assign internet rules"
- default whitelist (only via UCR; not in use in UCS@school)
The following diff of /etc/squidguard/squidguard.conf between forced and normal external blacklists was made with a user-specific whitelist for room "Raum3" and a custom whitelist for group "Igel" of school "gsmitte".
- pass !global-blacklist whitelist-Administrator-user none
+ pass whitelist-Administrator-user none
pass !global-blacklist !blacklist-Einiges-2dNicht all
- pass !global-blacklist whitelist-Kein-20Internet none
+ pass whitelist-Kein-20Internet none
- pass !global-blacklist whitelist !blacklist all
+ pass whitelist !blacklist !global-blacklist all
The manual has been updated accordingly.
r63845 | Bug #39061: updated spell checker dict
r63846 | Bug #39061: updated manual
r63844 | Bug #39061: updated adminstrator manual
r63852 | Bug #39061: fixed format strings
r63843 | Bug #39061: add configuration option for evaluation order of global blacklist
r63854 | Bug #39061: updated 11_squidguard_assign_rule_to_2_rooms due to changes regarding global blacklists
The app center is going to be updated.
The package has been published to app repo ucsschool_devel.
OK: UCR does what it should:
UCRV proxy/filter/global/blacklists/forced no→yes:
# diff -u /etc/squidguard/squidGuard.conf.forced_no /etc/squidguard/squidGuard.conf.forced_yes
--- /etc/squidguard/squidGuard.conf.forced_no 2015-10-08 14:47:52.474775061 +0200
+++ /etc/squidguard/squidGuard.conf.forced_yes 2015-10-08 14:47:27.886492832 +0200
@@ -62,12 +62,12 @@
- pass whitelist-allow-20wikipedia none
+ pass !global-blacklist whitelist-allow-20wikipedia none
- pass whitelist !blacklist !global-blacklist all
+ pass !global-blacklist whitelist !blacklist all
Code in commits OK: r63843, r63844, r63845, r63846, r63852, r63854
Automatic tests OK:
* ucs-test -s proxy -E dangerous
* /usr/share/ucs-test/90_ucsschool# for CHECK in 09_define_internet_rules_check 10_assign_internet_rules_check 11_squidguard_assign_rule_to_2_rooms 14_http_proxy_basic_auth_check 15_http_proxy_multi_auth_check 17_http_proxy_auth_after_passwd_reset_check; \
do ./$CHECK -f || break; done
Please note the change of the default evaluation order in the UPDATE text.
(In reply to Daniel Tröder from comment #4)
> Please note the change of the default evaluation order in the UPDATE text.
UCS@school 4.0 R2 v2 has been released.
If this issue occurs again, please use "Clone This Bug".