Bug 39061 - Make evaluation order of global blacklist configurable
Make evaluation order of global blacklist configurable
Product: UCS@school
Classification: Unclassified
Component: Proxy services
UCS@school 4.0 R2
Other Linux
: P5 normal (vote)
: UCS@school 4.0 R2 Errata
Assigned To: Sönke Schwardt-Krummrich
Daniel Tröder
Depends on:
  Show dependency treegraph
Reported: 2015-07-31 00:52 CEST by Sönke Schwardt-Krummrich
Modified: 2015-10-12 10:08 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2015-07-31 00:52:21 CEST
Currently the global blacklist in squidguard has higher priority than every other setting/rule, so teachers and school admins are not able to overrule the global blacklist.

At least one school asked for the possibility to overrule the global blacklist via computerroom settings. To achieve this, the order of black/white list within the squidguard config has to be changed. Current orders:

pass !global-blacklist whitelist-%s none
pass !global-blacklist !blacklist-%s all
pass !global-blacklist whitelist-%s !blacklist-%s all
pass !global-blacklist whitelist-%(username)s none
pass !global-blacklist !blacklist-%(username)s all

The lines without whitelist are not affected. We should add a UCR variable that moves "!global-blacklist" from current position just right of the whitelist entry resp. removing the entry:

pass whitelist-%s none
pass whitelist-%s !blacklist-%s !global-blacklist all
pass whitelist-%(username)s none
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2015-09-23 17:30:00 CEST
The new UCR variable proxy/filter/global/blacklists/forced has been added to the package ucs-school-webproxy. The current behaviour is achieved by setting the variable to "yes": the global blacklist is evaluated before any other blacklists/whitelists.

The new default is "no": the global blacklist may be overruled by any whitelist by the user/admin.

The following cases have been tested:
- set custom whitelist for a specific room via UMC module "computerroom"
- set whitelist for a class via UMC module "assign internet rules"
- default whitelist (only via UCR; not in use in UCS@school)

The following diff of /etc/squidguard/squidguard.conf between forced and normal external blacklists was made with a user-specific whitelist for room "Raum3" and a custom whitelist for group "Igel" of school "gsmitte".
 acl {
        room-Raum3 {
-               pass !global-blacklist whitelist-Administrator-user none
+               pass whitelist-Administrator-user none
                redirect http://master30.nstx.local/blocked-by-squid.html
         usergroup-gsmitte-2d1B {
                 pass !global-blacklist !blacklist-Einiges-2dNicht all
                 redirect http://master30.nstx.local/blocked-by-squid.html
         usergroup-gsmitte-2dIgel {
-                pass !global-blacklist whitelist-Kein-20Internet none
+                pass whitelist-Kein-20Internet none
                 redirect http://master30.nstx.local/blocked-by-squid.html
         default {
-                 pass !global-blacklist whitelist !blacklist all
+                 pass whitelist !blacklist !global-blacklist all
                  redirect http://master30.nstx.local/blocked-by-squid.html

The manual has been updated accordingly.

univention-spellcheck (0.1-1):
r63845 | Bug #39061: updated spell checker dict

r63846 | Bug #39061: updated manual
r63844 | Bug #39061: updated adminstrator manual

ucs-school-webproxy (11.0.8-1):
r63852 | Bug #39061: fixed format strings
r63843 | Bug #39061: add configuration option for evaluation order of global blacklist

ucs-test-ucsschool (2.0.53-1):
r63854 | Bug #39061: updated 11_squidguard_assign_rule_to_2_rooms due to changes regarding global blacklists

The app center is going to be updated.
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2015-10-01 23:14:03 CEST
The package has been published to app repo ucsschool_devel.
Comment 3 Daniel Tröder univentionstaff 2015-10-08 15:35:25 CEST
OK: UCR does what it should:

UCRV proxy/filter/global/blacklists/forced no→yes:

# diff -u /etc/squidguard/squidGuard.conf.forced_no  /etc/squidguard/squidGuard.conf.forced_yes 
--- /etc/squidguard/squidGuard.conf.forced_no	2015-10-08 14:47:52.474775061 +0200
+++ /etc/squidguard/squidGuard.conf.forced_yes	2015-10-08 14:47:27.886492832 +0200
@@ -62,12 +62,12 @@
 acl {
 	 usergroup-schule01-2d1A {
-		 pass whitelist-allow-20wikipedia none
+		 pass !global-blacklist whitelist-allow-20wikipedia none
 		 redirect http://master31s4.uni.dtr/blocked-by-squid.html
 	 default {
-		  pass whitelist !blacklist !global-blacklist all
+		  pass !global-blacklist whitelist !blacklist all
 		  redirect http://master31s4.uni.dtr/blocked-by-squid.html

Code in commits OK: r63843, r63844, r63845, r63846, r63852, r63854

Automatic tests OK:
* ucs-test -s proxy -E dangerous
* /usr/share/ucs-test/90_ucsschool# for CHECK in 09_define_internet_rules_check 10_assign_internet_rules_check 11_squidguard_assign_rule_to_2_rooms 14_http_proxy_basic_auth_check 15_http_proxy_multi_auth_check 17_http_proxy_auth_after_passwd_reset_check; \
do ./$CHECK -f || break; done
Comment 4 Daniel Tröder univentionstaff 2015-10-08 16:19:33 CEST
Please note the change of the default evaluation order in the UPDATE text.
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2015-10-12 10:08:09 CEST
(In reply to Daniel Tröder from comment #4)
> Please note the change of the default evaluation order in the UPDATE text.

UCS@school 4.0 R2 v2 has been released.

If this issue occurs again, please use "Clone This Bug".