Suite à la découverte de vulanrigbilités critiques dans la v10.0.16
Pensez à utiliser la nouvelle verison de GLPI v10.0.17
Source : https://breizhcyber.bzh/actualites/5-vulnerabilites-critiques-corrigees-au-sein-de-glpi/
We’re going to install it on linux debian 12.
| Pre-requisite | Current config |
|---|---|
| a linux OS | Debian 12 |
| a webserver | Apache |
| PHP | PHP 8.2 |
| a mysql database | MariaDB 11.4.3 |
Update the package index and install Apache, MariaDB, and PHP:
sudo apt update
sudo apt install -y apache2 mariadb-server php php-mysql libapache2-mod-php php-gd php-ldap php-xml php-mbstring php-curl php-json php-intl
Run the MySQL/MariaDB security script to secure the installation:
sudo mysql_secure_installation
Set root password: eg. rootpass
Login to MySQL/MariaDB:
sudo mysql -u root -p
Create a database for GLPI:
CREATE DATABASE glpidb CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
Create a user and grant privileges:
CREATE USER 'glpiuser'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON glpidb.* TO 'glpiuser'@'localhost';
FLUSH PRIVILEGES;
EXIT;
Download the latest version of GLPI from the official website or GitHub repository:
wget https://github.com/glpi-project/glpi/releases/download/10.0.17/glpi-10.0.17.tgz
Extract the downloaded archive:
tar -xzf glpi-10.0.17.tgz
Move the extracted GLPI files to the Apache document root:
sudo mv glpi /var/www/html/
Set the correct permissions for GLPI:
sudo chown -R www-data:www-data /var/www/html/glpi
sudo chmod -R 755 /var/www/html/glpi
Create a new Apache configuration file for GLPI:
sudo nano /etc/apache2/sites-available/glpi.conf
Add the following content to the file:
<VirtualHost *:80>
ServerAdmin admin@example.com
DocumentRoot /var/www/html/glpi/public
ServerName example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html/glpi/public>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
Enable the new Apache configuration:
sudo a2ensite glpi.conf
Restart Apache for the changes to take effect:
sudo systemctl restart apache2
Access GLPI in your web browser by navigating to http://your_server_ip/glpi. Follow the on-screen instructions to complete the installation.
Edit /etc/php/8.2/apache2/php.ini
Uncomment the addon line required
If needed install the missing addons (eg. sudo apt install php-intl):
sudo apt install php-nameOfTheAddon
Change session.cookie_httponly if needed.
Restart apache after changes.
Nous allons effectuer cette installation par SSH et donner les droits sudo à l’utilisateur.
sudo apt-get update && sudo apt-get upgrade
ip acat /etc/at/sources.list
deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmwaredeb-src http://deb.debian.org/debian bookworm main contrib non-free non-free-firmwareapt install sudo
sudo usermod -aG sudo <utilisateur>visudo et ajout de l’utilisateursudo apt install openssh-serversudo apt install nginx
sudo systemctl status nginxsudo apt install ufw
sudo ufw allow sshsudo ufw allow 'Nginx HTTP'(seulement le port 80, SSL n’étant pas configuré)sudo ufw statussudo enable ufwip addr show eth0 | grep inet | awk '{ print $2; }' | sed 's/\/.*$//'sudo apt install mariadb-serversudo mysql_secure_installation
mariadb -u root -p
CREATE DATABASE glpi_db;GRANT ALL PRIVILEGES ON glpi_db.* TO glpi_user@localhost IDENTIFIED BY "glpi_pass";FLUSH PRIVILEGES;EXIT;Nginx n’execute pas les requêtes PHP nativement, il faut installer le paquet php-fpm (fastcgi-php) et dire par la suite à nginx de passer les requêtes php par ce transpiler.
sudo add-apt-repository-universesudo apt install php-fpm php-mysqlsudo apt-get install php-xml php-common php-json php-mysql php-mbstring php-curl php-gd php-intl php-zip php-bz2 php-imap php-apcu php-ldapsudo nano /etc/php/8.2/fpm/php.ini
session.cookie_httponly = onsudo systemctl restart php8.2-fpmregarder sur le dépôt github de glpi pour trouver la dernière version du logiciel
télécharger la dernière version de glpi dans le dossier /tmp
wget -P /tmp https://github.com/glpi-project/glpi/releases/download/10.0.17/glpi-10.0.17.tgz
extraire l’archive dans le dossier /var/www
sudo tar -xzvf /tmp/glpi-10.0.17.tgz -C /var/www
donner la propriété à glpi sur les fichiers et les dossiers créés
sudo chown www-data /var/www/glpi/ -R
déplacement des fichiers de configuration de glpi dans un nouveau dossier sous /etc/glpi
sudo mkdir /etc/glpi && sudo chown www-data /etc/glpi/ && sudo mv /var/www/glpi/config /etc/glpi
déplacement des librairies de glpi dans un nouveau dossier sous /var/lib/glpi
sudo mkdir /var/lib/glpi && sudo chown www-data /var/lib/glpi/ && sudo mv /var/www/glpi/files /var/lib/glpi
création du dossier /var/log/glpi destiné à acceullir les journaux de l’application
sudo mkdir /var/log/glpi && sudo chown www-data /var/log/glpi
déclaration des nouveau dossiers créés dans deux fichiers
sudo nano /var/www/glpi/inc/downstream.php<?php
define('GLPI_CONFIG_DIR', '/etc/glpi/');
if (file_exists(GLPI_CONFIG_DIR . '/local_define.php')) {
require_once GLPI_CONFIG_DIR . '/local_define.php';
}
sudo nano /etc/glpi/local_define.php <?php
define('GLPI_VAR_DIR', '/var/lib/glpi/files');
define('GLPI_LOG_DIR', '/var/log/glpi');
dire à nginx d’utiliser php pour l’affichage des pages de glpi
sudo nano /etc/nginx/sites-available/glpi server {
listen 80;
listen [::]:80;
server_name glpi;
root /var/www/glpi/public;
location / {
try_files $uri /index.php$is_args$args;
}
location ~ ^/index\.php$ {
fastcgi_pass unix:/run/php/php-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
sudo ln -s /etc/nginx/sites-available/glpi /etc/nginx/sites-enabled/sudo unlink /etc/nginx/sites-enabled/defaultsudo nginx -tsudo systemctl reload nginxsudo mv /var/www/glpi/install/install.php /var/www/glpi/install/install.php.oldglpi est installé et sécurisé.
todo
Since GLPI version 10, the plugin Fusion Inventory is replaced by the in-house component glpi-inventory and it’s agent glpi-agent.
If you’re still want to use FusionInventory (which works) on GLPI version 10.0.7+, you’ll need to edit the file inside the fusioninventory plugin folder and change the max version in setup.php (line 52) from:
// Maximum GLPI version, exclusive
define('PLUGIN_FUSIONINVENTORY_GLPI_MAX_VERSION', '10.0.7');
to eg. for GLPI 10.0.16:
// Maximum GLPI version, exclusive
define('PLUGIN_FUSIONINVENTORY_GLPI_MAX_VERSION', '10.0.17');
source: https://github.com/fusioninventory/fusioninventory-for-glpi/issues/3453
Sur windows l’agent est installé comme un service qui se lance automatiquement de manière transparente (on peut le vérifier en windows+R => services.msc => GLPI Agent).
Pour afficher l’agent dans la barre d’état du système, on avait Glpi-Agent Monitor. À présent cette option est intégrée et il suffit de modifier la clef AgentMonitor dans la base de registre Computer\HKEY_LOCAL_MACHINE\SOFTWARE\GLPI-Agent\Installer => passer AgentMonitor en 1.
source: https://glpi-agent.readthedocs.io/en/1.11/index.html
If it’s not working, download the latest glpi-inventory-plugin here https://github.com/glpi-project/glpi-inventory-plugin/releases
Trying to install any plugin from Marketplace and getting this message to appear « Plugin archive format is not supported by your system : tbz2. » ? The php-bz2 dependency is missing, install with:
sudo apt install php-bz2
Now plugins should be downloadable.
Enable inventory option in Administration > Inventory
This is visible in the logs:
[warning] [http client] Inventory support is disabled server-side
[error] No supported answer from server at http://192.168.*.*/glpi
Force a new inventory and wait a few for GLPI to fetch all the data.