Dansguardian group settings not really working

I just wanted to dig in to the dansguardian settings and I noticed some documentation issues but also that I can’t really get it to work as exepcted. The documentation (https://docs.software-univention.de/manual-4.4.html#proxy:contentfilter) says “Where several values are to be added, these must each be separated by blank spaces.” but the dansguardian/groups setting must be separated by semicolon

groups = configRegistry.get( 'dansguardian/groups', 'defaultgroup' ).split( ';' )

so far so good.
I now have these settings:

dansguardian/groups/Administrators/banned/extensions: .exe
dansguardian/groups/Administrators/banned/sites:
dansguardian/groups/defaultgroup/banned/extensions: .ade .adp .asx .bas .bat .cab .chm .cmd .com .cpl .crt .dll .exe .hlp .ini .hta .inf .ins .isp .lnk .mda .mdb .mde .mdt .mdw .mdz .msc .msi .msp .mst .pcd .pif .prf .reg .scf .scr .sct .sh .shs .shb .sys .url .vb .vbe .vbs .vxd .wsc .wsf .wsh .otf .ops .gz .tar .zip .tgz .bz2 .cdr .dmg .smi .sit .sea .bin .hqx .rar .mpeg .mpg .avi .asf .iso .ogg .wmf .bin .cue
dansguardian/groups/defaultgroup/banned/sites: facebook.com
dansguardian/groups/defaultgroup/exception/sites: lcx.at seafile.lcx.at lcx.wien support.lcx.at
dansguardian/groups/opsiadmin/banned/sites: orf.at
dansguardian/groups/system: yes
dansguardian/groups: defaultgroup;Administrators;opsiadmin
dansguardian/virusscanner: clamav
security/packetfilter/package/univention-dansguardian/tcp/3128/all/en: HTTP proxy (dansguardian)
security/packetfilter/package/univention-dansguardian/tcp/3128/all: ACCEPT

and I have my user which belongs to the group “Administrators” and “opsiadmin”

uid=2013(cristian) gid=5001(Domain Users) groups=5001(Domain Users),5053(Users),5082(interface),5078(opsiadmin),5000(Domain Admins),5045(Schema Admins),5077(opsifileadmins),5016(Printer-Admins),5052(Administrators),5046(Enterprise Admins),5047(Group Policy Creator Owners),5051(Denied RODC Password Replication Group),5094(webadmin)

Even though my cristian user is in the Administrators and opsiadmin group I have no access to facebook and the log looks like it’s seeing my user cristian as a member of defaultgroup.

2019.7.25 10:31:10 cristian 192.168.5.249 https://www.facebook.com:443 *DENIED* Verbotene Seite: facebook.com CONNECT 0 0  1 403 -  defaultgroup -

Other issues I have:

  • group banned site for opsiadmin group is not working
  • extension filter for defaultgroup is not working, I can still download .exe files. I have tried with a different user that is plain user without admin or opsiadmin group.

somehow it looks like this bug: https://forge.univention.org/bugzilla/show_bug.cgi?id=36819

Another user has recently posted their problems with Dansguardian which sound similar to yours:

It sounds to me like you’re running into a bug. You should probably raise this issue with the Univention support team if you have a subscription, or at least file a bug over on Bugzilla.

Mastodon