Squidguard's group based profile creation broke Squid and shared folders permissions

Hi, everybody.

First of all, sorry for my English.
I’m testing NS7b2 in a real machine.
My server act as a gateway, DC and Proxy.
Everything worked fine until I created a profile that bypass the proxy filter for a specific group. After that, Squid service stopped and shared folders turned inaccessible.
Deleting that profile makes Squid to start again, but wrong permissions on shared folders still remains.
I reproduced this behavior twice in a real machine and once in Virtualbox.
Cheers.

1 Like

I can’t figure how they can be related… :thinking:

Please have a look to this Shared folders bug. Is this your case, too?

…about squid: could you attach some log files? Can you reproduce the squid problem? What is the procedure to reproduce the bug?

Hi, davidep.

  • install nethserver;
  • apply updates;
  • reboot
  • install kmod-e100 from elrepo;
  • configure red lan to use DHCP;
  • configure green lan static 10.0.0.1/24;
  • configure DHCP to use green lan;
  • install DC, file server, web proxy and web content filter;
  • configure DC to use 10.0.0.2;
  • create users;
  • create groups and put users inside them;
  • create folders for each group given group write permissions;
  • join Windows client and test folders permissions: everything is OK;
  • enable web proxy with transparent SSL;
  • test folders permissions: OK;
  • enable web content filter, enable antivirus, save and download Université
    Toulouse in blacklists, edit default filter to block undesired contents,
    create a new filter for a new profile, create a new profile for a specific
    group in DC (in “Who” box choose group@server) and click submit button;
  • go to services: squid, squidclamav and c-icap are disabled and stopped;
  • go to Windows client and test folders permissions: every folder is
    inaccessible.

I tried one more time, because i notice that nethserver-DC released a new
version, but i got same result.
Cheers,

:

2 Likes

Thank you @celiofk for your detailed report! I’ll try to reproduce this behavior. In the meanwhile I hope somebody in @dev_team has an idea about the origin of the problem.

Did you notice anything relevant message in the log files? Could you attach here some log excerpts?

I think you hit two different unrelated bugs.

I can’t reproduce it, check this out: https://github.com/NethServer/dev/issues/5111

Squid is stopped because squidGuard dies with a segfault.
You should find something like this inside the /var/log/messages:

Sep 27 10:40:29 test squid[10716]: Squid Parent: (squid-1) process 10772 started
Sep 27 10:40:29 test kernel: squidGuard[10778]: segfault at ffffffff905c01a0 ip 00007f3f8f6dc782 sp 00007ffd94c39468 error 5 in libc-2.17.so[7f3f8f592000+1b7000]
Sep 27 10:40:29 test kernel: squidGuard[10779]: segfault at ffffffffd981b1b8 ip 00007fa4d8937eec sp 00007fffc14c34b8 error 5 in libc-2.17.so[7fa4d87ed000+1b7000]
Sep 27 10:40:29 test kernel: squidGuard[10781]: segfault at ffffffffb3ca91a0 ip 00007f8bb2dc5782 sp 00007ffc4d94cf38 error 5 in libc-2.17.so[7f8bb2c7b000+1b7000]
Sep 27 10:40:29 test kernel: squidGuard[10780]: segfault at 23fd81b8 ip 00007f9b230f4eec sp 00007fff36b40398 error 4 in libc-2.17.so[7f9b22faa000+1b7000]
Sep 27 10:40:29 test kernel: squidGuard[10782]: segfault at 4d3771a0 ip 00007f604c493782 sp 00007ffd7866c958 error 4 in libc-2.17.so[7f604c349000+1b7000]
Sep 27 10:40:29 test (squid-1): The redirector helpers are crashing too rapidly, need help!
Sep 27 10:40:29 test squid[10716]: Squid Parent: (squid-1) process 10772 exited with status 1
Sep 27 10:40:29 test squid[10716]: Squid Parent: (squid-1) process 10772 will not be restarted due to repeated, frequent failures
Sep 27 10:40:29 test squid[10716]: Exiting due to repeated, frequent failures

Please check that clamd is running along with c-icap

systemctl status c-icap
systemctl status clamd@squidclamav

I have no idea why squidGuard is segfaulting :frowning:
Edit: Probably this is the upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1253662

I just opened a new issue, try with the package from testing repository! :wink:

1 Like

@celiofk our devs are super fast! Please help us to test this new package, take a look at this howto before

Our @quality_team will be happy to help you.

1 Like

Hi, @giacomo @alefattorini @davidep

I was testing Squid and Squidguard in Virtualbox many times. This is my
last attempt:

  • create virtual machine for Nethserver with 20Gb HDD, 1Gb memory and two
    network cards, one bridge and one internal to serve Windows client;
  • install Nethserver in unattended mode;
  • apply updates in console mode;
  • reboot;
  • access web interface and make the initial wizard changes;
  • configure network with one green static 10.0.0.1/24 and one red DHCP;
  • apply DHCP to green interface;
  • install nethserver-DC, file server, web filter and web proxy (squidGuard
    package is the new one!);
  • go to user an groups and start DC with bridge checked;
  • change administrator password;
  • create two users with no password expire and no ssh;
  • create two groups and insert users;
  • create two shared folders for groups with write permission to group owner;
  • apply DHCP to bridge interface;
  • join Windows client and test write permission on shared folders: OK;
  • enable web proxy: transparent with SSL on green and blue and disabled
    cache.
  • reboot server;
  • go to status, domain accounts: can’t find ldap server, but domain is OK;
  • start Windows client and test shared folders permission: have no read
    permission;
  • while i wrote this, returned to domain accounts: ldap server is back;
  • start Windows client and test shared folders permission: have no read
    permission;

Attached /var/log/messages selected from packages install. I hope it helps.
Cheers,

1 Like

Hi,

Today I tested SquidGuard.
It doesn’t crash anymore, but I noticed two points:

  • if antivirus is disabled, c-icap service doesn’t start and stay disabled
    still enable filter is marked and submitted;
  • when create a profile for an ACL group with a custom filter that allow
    all contents, all others groups can bypass the default filter content;
    That’s it.
    Cheers
2 Likes

This is the correct behavior.

Still can’t reproduce it :frowning: , I need a little extra time.

This is unrelated, please open separated threads for different problems.

OK, c-icap service was disabled and stopped, but in the web content filter page is marked enabled. If I need antivirus enabled to run web content filter, why is there an option to disable it?:confused:

Sorry, my bad. I’ll do it.:grin:

Sorry, probably I misunderstood what you were saying.
Are you referring to the checkbox under the “Antivirus” tab?

I tried multiple times to enable/disable it, and the underlying configuration is consistent with the checkbox status.

Finally I managed to reproduce it:

Edit:
The package is ready for testing, would you mind to try it?

yum --enablerepo=nethserver-testing update nethserver-squidguard
1 Like

I’m very sorry. I thought that enable filter checkbox was related with c-icap server, but it’s not. Forget about it.

Yes, already tried:

  • users are blocked with default content filter;:+1:
  • users that belong to ACL group in the custom profile should be released, instead are blocked. Maybe related with Squid broken ACL permissions?

I don’t get the scenario. :frowning:
Please post the output of following commands:

 db contentfilter show
 tail -n 30 /etc/squid/squidGuard.conf

[root@server ~]# db contentfilter show
admin_filter=profile
Description=
Filter=filter;bypass
Src=group;action_nutri@test.lan
Time=
bypass=filter
BlackList=disabled
BlockAll=disabled
BlockBuiltinRules=disabled
BlockFileTypes=disabled
BlockIpAccess=enabled
Categories=
Description=
WhiteList=disabled
default=filter
BlackList=enabled
BlockAll=disabled
BlockBuiltinRules=disabled
BlockFileTypes=disabled
BlockIpAccess=enabled
Categories=drugs,gamble,games-misc,games-online,hacking,movies,music,porn,radiotv,sex,socialnet,spyware,warez,webphone,webtv
Description=Default filter
Removable=no
WhiteList=enabled
default_profile=profile
Description=Default profile
Filter=filter;default
Removable=no
[root@server ~]# tail -n 30 /etc/squid/squidGuard.conf
}
dest news {
domainlist /var/squidGuard/blacklists/news/domains
urllist /var/squidGuard/blacklists/news/urls
logfile urlfilter.log
}
dest isp {
domainlist /var/squidGuard/blacklists/isp/domains
urllist /var/squidGuard/blacklists/isp/urls
logfile urlfilter.log
}

src src_admin_filter {
userlist /etc/squid/squidGuard/src_admin_filter
}

acl {

# Profile: admin_filter
src_admin_filter  {
    pass !in-addr  all
}

default {
    pass nh_whitelist  !nh_blacklist  !in-addr  !drugs  !gamble  !games-misc  !games-online  !hacking  !movies  !music  !porn  !radiotv  !socialnet  !spyware  !warez  !webphone  !webtv  all
    redirect     http://10.0.0.1/cgi-bin/nethserver-block.cgi?clientaddr=%a&clientname=%n&clientident=%i&srcclass=%s&targetgroup=%t&url=%u
}

}

Is this bug solved in NS7b2?
I’m having same problem in RC2: created a profile that release access to everything for some DC group and users, but all of them are blocked.
Cheers,

Sorry but I couldn’t reproduce it.

By the way, we are switch to ufbguard for RC 3.
Take a look at this thread:

OK, if SquidGuard will be replaced by UFBGuard, I’ll be waiting to test it. :relaxed: