Bug 49947 - Dansguardian doesn't check groups since upgrade to 4.4.1
Dansguardian doesn't check groups since upgrade to 4.4.1
Status: NEW
Product: UCS
Classification: Unclassified
Component: Dansguardian
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
Depends on:
  Show dependency treegraph
Reported: 2019-07-31 21:43 CEST by johann.schnagl
Modified: 2020-10-05 12:03 CEST (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description johann.schnagl 2019-07-31 21:43:22 CEST
It seems dansguardian is no longer checking the groups of a user. It seems to always use the default group.

My default group in dansguardian is configured to only allow a whitelist:
dansguardian/groups/dansguardian_white/banned/sites **
dansguardian/groups/dansguardian_white/exception/sites .Include</etc/dansguardian/white/domains> .Include</etc/dansguardian/BL/updatesites/domains>
dansguardian/groups/dansguardian_white/exception/urls .Include</etc/dansguardian/BL/updatesites/urls>

I just restored to Univention 4.4.0 and there I see in /var/log/dansguardian/access.log the normal behavior. When I browse to google.de I see my name and the group dansguardian_unrestricted.

So I repeated the upgrade to 4.4.1, joined the domain again and rebooted the server. And now I see a deny in the logs. The group is no longer dansguardian_unrestricted but the default group dansguardian_white.So I downgraded again to 4.4.0 and stopped the unattended upgrades.

By the way I found 7 lines in syslog all of them like:
dansguardian[4835]: Auth plugin returned error code: -1

I just set up a new proxy server and could reproduce the error. I only configured one additional group and the default group. Only denying one single site in the default group still makes the site inaccesible to members of the other group where this site is not mentioned.

It really seems to be an error. By the way I didn’t get the Auth plugin error this time.
Comment 1 andipilz 2020-10-05 12:03:57 CEST
As I am running into the same problem, with having an additional group blocking only some of the users, I wonder why this error / bug is still "NEW".

I can easily reproduce the bug on my setup. It seems to me, no other group is regarded in addition to the defaultgroup.

On the other hand, when I add a new group to ucr dansguardian/groups the respective files are generated in /etc/dansguardian/lists with the new name. Yet, they all have wrong access rights, as for group and others the "r" is missing, why dans guardian cannot start anymore.

Just observations, as I am not an expert ... :-(