Bug 21331 - glpi new security issues fixed upstream in 9.1.5 and 9.1.6
Summary: glpi new security issues fixed upstream in 9.1.5 and 9.1.6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-07-23 21:51 CEST by David Walser
Modified: 2018-02-25 00:26 CET (History)
6 users (show)

See Also:
Source RPM: glpi-9.1.1-2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-07-23 21:51:55 CEST
Fedora has issued an advisory today (July 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LJ3F3MJ4KYXBL67QB5D7M4D52ZPORVWD/

Additionally, more security issues were also fixed in 9.1.6:
http://glpi-project.org/spip.php?page=annonce&id_breve=378&lang=en
http://glpi-project.org/spip.php?page=annonce&id_breve=379&lang=en

Mageia 6 is also affected.  I'm not sure whether Mageia 5 is as well.
David Walser 2017-07-23 21:52:03 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2017-07-25 04:07:00 CEST
glpi-9.1.6-1.mga7 uploaded for Cauldron by Guillaume.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 2 Nicolas Lécureuil 2017-07-27 01:48:09 CEST
9.1.6 pushed in mga6 updates_testing ( using guillaume cauldron's commit )
src.rpm:  glpi-9.1.6-1.mga6

Assignee: guillomovitch => qa-bugs
CC: (none) => mageia

Comment 3 David Walser 2017-07-27 02:09:54 CEST
Advisory:
========================

Updated glpi package fixes security vulnerabilities:

The glpi package has been updated to version 9.1.6, which fixes several
security issues and other bugs.  See the upstream release announcements for
details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11183
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11184
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11329
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11474
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11475
http://glpi-project.org/spip.php?page=annonce&id_breve=370&lang=en
http://glpi-project.org/spip.php?page=annonce&id_breve=373&lang=en
http://glpi-project.org/spip.php?page=annonce&id_breve=376&lang=en
http://glpi-project.org/spip.php?page=annonce&id_breve=378&lang=en
http://glpi-project.org/spip.php?page=annonce&id_breve=379&lang=en
========================

Updated packages in core/updates_testing:
========================
glpi-9.1.6-1.mga6

from glpi-9.1.6-1.mga6.src.rpm
Comment 4 Herman Viaene 2017-08-01 12:01:16 CEST
MGA6-32 on Asus A6000VM MATE
No installation issues.
Found tutorial at http://www.supinfo.com/articles/single/95-tutoriel-installation-glpi
But I run into a mysql issue
# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.1.25-MariaDB Mageia MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database dbbglpi character set utf8;
Query OK, 1 row affected (0.28 sec)

MariaDB [(none)]> grant all privileges on dbbglpi.* to glpi@localhost identified by 'glpi';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

I tried
MariaDB [(none)]> uninstall plugin validate_password;
ERROR 1305 (42000): PLUGIN validate_password does not exist
MariaDB [(none)]> grant all privileges on dbbglpi.* to glpi@localhost identified by 'glpi';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

No time anymore today to investgate this further. Come and see later.

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2017-08-02 11:29:10 CEST
To get around the mysql validation problem I had to comment out the line
plugin-load-add=cracklib_password_check.so
in /etc/my.cnf.d/cracklib_password_check.cnf and the restart mysqld
Then pointing Firefox to localhost/glpi just draws a blank screen. I found an error in /var/log/httpd/error_log :
[Wed Aug 02 10:26:08.045403 2017] [:error] [pid 4043] [client ::1:48288] PHP Fatal error:  require_once(): Failed opening required '/usr/share/php/ezc/Base/autoloader.php' (include_path='.:/usr/lib/php/:/usr/share/pear/:/usr/share/php/') in /usr/share/php/ezc/Graph/autoloader.php on line 138
Checked and of course /usr/share/php/ezc/Base/autoloader.php does not exist, but there was a file base_autoload.php.
I took a chance and copied that file in /usr/share/php/ezc/Base/ and named it autoloader.php.
Then pointing Firefox to localhost/glpi brings me to http://localhost/glpi/install/install.php and gives me the glpi starting screen where to select the language. But after clicking "OK" I get "No connection" and var/log/glpi is empty.
Giving up on it. Maybe someone can shad some light onthis php issue.
Comment 6 David Walser 2017-08-04 22:15:08 CEST
Fedora has issued an advisory for glpi 9.1.6 on August 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CL44XMRTDZRRPNINXWREOTMEJ3HERUD7/
Comment 7 Len Lawrence 2017-08-27 16:29:55 CEST
Congratulations on the detective work Herman and kudos for experimenting.

I am trying to get this working on mga6::x86_64 but have not got very far.
Managed to get past the password hurdle using your tip about commenting out the cracklib_password_check line.

I found the tutorial very confusing.  Could not figure out if everything had to be done as root.  Do you have to create this user www-data?  I guessed not and assigned ownership of /var/www/glpi/ to myself lcl:lcl.  Pointing firefox to http://localhost/glpi raised an "Object not found!" message and there was nothing corresponding to your error in the error_log.  /usr/share/php/ezc/ does not exist.  In fact /usr/share/php/ is empty.  /var/www/glpi/ is empty because the instruction to download the glpi tarball resulted in Connection timed out and a series of retries.

Went back a bit and reassigned access rights to /var/www/glpi to root.  And there it stands.  Where to go from here?

CC: (none) => tarazed25

Comment 8 Len Lawrence 2017-08-27 16:39:56 CEST
Checking the prerequisites I saw that php was missing.  Installed php-cgi and php-suhosin but that made no difference.  Error 404 again.
Comment 9 David Walser 2017-08-27 16:59:47 CEST
www-data is a Debian user.  The package already contains the files, so it shouldn't be downloading the tarball.  You shouldn't be changing the ownership of the files in the package.

Check /etc/httpd/conf/sites.d/glpi.conf for the Alias to see what the URL should be and where the files are stored (it looks like they're in /usr/share/glpi).
Comment 10 Len Lawrence 2017-08-27 17:10:34 CEST
Thanks David for the pointer.  I really am so far out of my depth here that I was going to chuck it in.

I am still unclear about who the operator is in all this; is it me, is it root, or  ....?
Comment 11 David Walser 2017-08-27 17:23:20 CEST
I don't know anything about glpi, but hopefully it's like any other webapp where you make a database and visit the URL through localhost.  It looks like the URL is /glpi from what Herman said, but it also looks like there may be a packaging issue.

CC'ing the packager, Guillaume, since he forgot to CC himself when assigning to QA.

CC: (none) => guillomovitch
Whiteboard: (none) => feedback

Comment 12 David Walser 2017-08-27 17:24:05 CEST
Len, BTW I'm not sure what you mean by operator.
Comment 13 Len Lawrence 2017-08-27 17:55:53 CEST
Who is regarded as the user?  Who should be given access to glpi?
I know virtually nothing about databases and web interfaces.

I tried this:
And yes, I did wonder what the tarball might contain that was not already installed.  Contents of usr/share/glpi moved to /var/www/
Gave myself full access rights to /var/www/glpi/

mysql:
MariaDB..> create database dbbglpi character set utf8;
ERROR 1007 (HY000): Can't create database 'dbbglpi'; database exists
MariaDB [(none)]> grant all privileges on dbbglpi.* to glpi@localhost identified by 'glpi';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit
Bye

Tried http://localhost/glpi/ and hit error 404.

> drop database dbbglpi;
Query OK, 0 rows affected (0.00 sec)

> create database dbbglpi character set utf8;
Query OK, 1 row affected (0.00 sec)

> grant all privileges on dbbglpi.* to glpi@localhost identified by 'glpi';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

Back to localhost/glpi/  =>  Error 404
Comment 14 David Walser 2017-08-27 18:07:08 CEST
(In reply to Len Lawrence from comment #13)
> Who is regarded as the user?  Who should be given access to glpi?
> I know virtually nothing about databases and web interfaces.

What user?  What do you mean given access?

> I tried this:
> And yes, I did wonder what the tarball might contain that was not already
> installed.  Contents of usr/share/glpi moved to /var/www/
> Gave myself full access rights to /var/www/glpi/

Why are you doing that?  Don't do that.  I imagine the Alias I told you about refers to /usr/share/glpi so it's already looking for it there, as installed by the package.  From what Herman said it sounds like that much does work, so I'm not sure why you're seeing a 404.  Anything useful in /var/log/httpd/access_log or error_log?
Comment 15 Len Lawrence 2017-08-27 18:18:16 CEST
Sorry David, I only just noticed what you said about not changing ownership.  Have reverted that.

It also struck me as very odd that the tutorial instructed the user to move the whole lot from /usr /to /var/www.  I shall put things back the way they were and see if it goes as far as Herman drove it.
Comment 16 Len Lawrence 2017-08-27 18:41:03 CEST
Re comment 14.

I was confused about who actually owned the database, root, the user, ...?
$ sudo updatedb
$ locate dbbglpi
/var/lib/mysql/dbbglpi
$ ls -l /var/lib/mysql/dbbglpi
ls: cannot open directory '/var/lib/mysql/dbbglpi': Permission denied

It is owned by mysql:mysql and I am not a member of the mysql group.  Should I be?
Comment 17 Len Lawrence 2017-08-27 18:52:09 CEST
access_log contains nothing useful, just repeated

127.0.0.1 - - [27/Aug/2017:17:09:42 +0100] "GET /glpi/ HTTP/1.1" 404 1037 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

and nothing at all in error_log around the time of the experiments.
Comment 18 claire robinson 2017-08-27 18:59:47 CEST
I think you're over thinking this Len.

For most webapps, assuming you already have task-lamp installed and services running, you then install the package(s), configure a database for it to use - simplest way is to use phpmyadmin - then visit the url http:/localhost/<package>.

There are nothing related to any desktop user, in the same way as creating an account at Mageia doesn't require any desktop settings.

Typically, installing the package also restarts/reloads apache to re-read the new apache configuration files for the package - kept in /etc/httpd/sites.d/

There may be an web based installer which will request database details, etc to follow, and occasionally it's a manual process. To find the configuration files look in the apache packae config file to see where the "Alias" is linked to. It'll typically say something like:

Alias glpi /usr/share/glpi

Which means when you visit http://localhost/glpi apache instructs your browser to display the web stuff in /usr/share/glpi

It's really just a glorified symlink with a database attached.
Comment 19 claire robinson 2017-08-27 19:01:18 CEST
might be /etc/httpd/conf/sites.d for the conf files actually, off the top of my head.
Comment 20 David Walser 2017-08-27 19:07:58 CEST
Len, database users and Linux users are two completely different things.  You shouldn't be manually messing with the files in /var/lib/mysql.  As Claire alluded to, in mysql you create a database user to own the database and then you have to give those details to the webapp some how.
Comment 21 Len Lawrence 2017-08-27 19:40:35 CEST
Thanks Claire and David.  Databases and web applications are another country for me.  However from what you have said there appears to be no reason why the configuration interface should not display in a browser.  Everything seems to be in order, except perhaps the lamp stack.  Since I had to install php manually there is a good chance something else might be missing.

Right.  Installed task-lamp, restarted httpd and tried the link.  This time it simple hangs on a blank page.  mysqld is running.

glpi.conf has a stanza for the glpi directory:

<Directory /usr/share/glpi>
    Require all granted
    Options -FollowSymLinks
    # recommanded value
    php_value memory_limit 64M
</Directory>

but further down "Require all denied" for files, locales, mysql etc.
Comment 22 Len Lawrence 2017-08-27 20:04:37 CEST
There is a 404 error buried in the access error log:
$ tail /var/log/httpd/access_log
.....................
192.168.1.156 - - [27/Aug/2017:18:28:10 +0100] "GET /glpi/ HTTP/1.1" 500 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [27/Aug/2017:18:28:59 +0100] "GET /glpi HTTP/1.1" 301 230 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [27/Aug/2017:18:28:59 +0100] "GET /glpi/ HTTP/1.1" 500 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [27/Aug/2017:18:28:59 +0100] "GET /favicon.ico HTTP/1.1" 404 1037 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
127.0.0.1 - - [27/Aug/2017:18:28:59 +0100] "GET /favicon.ico HTTP/1.1" 404 1037 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

Went on to try Herman's neat little trick of renaming the autoloader file and up came the interface!!!

Traversed a couple of screens but refrained from either installing or upgrading glpi.  It works as far as that.  The puzzle now is why Herman cannot reach the GPL Licence page (step 2).  /var/log/glpi/ is empty here too so that is probably OK.

Good for 64-bits once the autoloader business is fixed.
Comment 23 David Walser 2017-08-27 20:07:58 CEST
A 404 on the favicon.ico is OK.
Comment 24 Len Lawrence 2017-08-27 20:30:50 CEST
And now for the update. :p

The package installed fine.  Dropped the two databases created previously and checked the autoloader fix in /usr/share/php.  Installation restarts the httpd server.

Pointed firefox at localhost/glpi/ to invoke the configuration page.  Working perfectly.

OK for 64-bits.  Do we raise a bug on the PHP autoloader issue?  Is it a separate issue or something in the glpi packaging?

Maybe we should wait for Guillaume's response to this.
Comment 25 Guillaume Rousse 2017-08-28 20:46:43 CEST
Pushing the cauldron package directory into stable release was not a great idea, for at least two reasons:
- first, it is a major version update, triggering a database schema change, which is largely unexpected given our update policy
- second, the new package relies on every PHP package dependencies to ship an autoloader with an expected filename, which is not the case in mageia 5

The correct fix here is to port the following commits to GLPI 0.84:
https://github.com/glpi-project/glpi/pull/2492/commits/7b7051fe42d36f53270b943b1a3c238c9ed503b5
https://github.com/glpi-project/glpi/pull/2481/commits/1a1e9e15f0dd52d68f18e0d64ab1ded199f3c263
https://github.com/glpi-project/glpi/pull/2481/commits/9619f0235615f14e088d31edc7a0ac3c5f30ac9a

I'll try to do it during the week, unless someone else manage to do it first.
Comment 26 Guillaume Rousse 2017-08-28 21:13:42 CEST
None of those commits apply, because the corresponding code doesn't exist in 0.84. Which could perfectly mean than 0.84 is not concerned by the problem. 

Also, those commits only correspond to the security issues fixes with 9.1.6 release, we also have similar issues in 9.1.5, 9.1.4, etc... That's way too much work, for dubious benefits. Especially given the lack of authoritative information (CVE number, and vulnerability statement).

For all those reasons, I'd rather not push any update for mageia 5, unless someone want to handle this work properly. We may eventually provide backports of glpi 9, if current infrastructure allows it, for interested users.
Comment 27 Samuel Verschelde 2017-09-06 15:09:32 CEST
Moving 'feedback' from whiteboard to keywords now that madb has been updated to handle that keyword.

Whiteboard: feedback => (none)
Keywords: (none) => feedback

Comment 28 David Walser 2017-12-29 17:24:21 CET
Assigning to Guillaume to make sure we have a good update for this package before we assign it back to QA.

Assignee: qa-bugs => guillomovitch
CC: (none) => qa-bugs
Keywords: feedback => (none)

Comment 29 Guillaume Rousse 2018-01-06 12:26:35 CET
I'm not sure about what kind of feedback you expect from me.

Shipping GLPI 9.1.6 for mageia 6, as an update to GLPI 9.1.1, should be OK.
Shipping GLPI 9.1.6 for mageia 5, as an update for GLPI 0.84 is not. Moreover, GLPI doesn't qualify for mageia 5 extended support.
Comment 30 David Walser 2018-01-06 12:33:46 CET
Guillaume, this bug isn't, and never was, about Mageia 5.  It's only for Mageia 6.  We did update it to 9.1.6, and the QA team tried to test it and couldn't get it to work.  Can you provide some feedback on that?  Is the package broken or are they doing something wrong?
David Walser 2018-02-02 18:15:57 CET

Status comment: (none) => Need feedback from maintainer if update candidate is OK

Comment 31 Guillaume Rousse 2018-02-10 12:45:29 CET
The GLPI update candidate is fine.

What is wrong in the php-zetacomponent-base package shipped in mageia 6, because it was not rebuild with bootstrap macro disabled (chicken-and-egg problem: in order to generate bootloader with fedora phpab tool, you need php-zetacomponent-base, and in order to build php-zetacomponent-base, you need phpab...). I'm the culprit, I probably forgot to do it before the release. I just submitted php-zetacomponents-base-1.9-1.1.mga6 in update_testing, that should fix the issue.

Small hint for the QA team: when update package foobar doesn't work, just check if the same package in the base distribution does, in order to identify regressions from problem than already existed in the release.
Comment 32 David Walser 2018-02-10 22:45:49 CET
Thanks Guillaume!

Advisory:
========================

Updated glpi package fixes security vulnerabilities:

The glpi package has been updated to version 9.1.6, which fixes several
security issues and other bugs.  See the upstream release announcements for
details.

An issue in the php-zetacomponents-base package which prevented GLPI from
working has also been fixed.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11183
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11184
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11329
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11474
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11475
http://glpi-project.org/spip.php?page=annonce&id_breve=370&lang=en
http://glpi-project.org/spip.php?page=annonce&id_breve=373&lang=en
http://glpi-project.org/spip.php?page=annonce&id_breve=376&lang=en
http://glpi-project.org/spip.php?page=annonce&id_breve=378&lang=en
http://glpi-project.org/spip.php?page=annonce&id_breve=379&lang=en
========================

Updated packages in core/updates_testing:
========================
php-zetacomponents-base-1.9-1.1.mga6
glpi-9.1.6-1.mga6

from SRPMS:
php-zetacomponents-base-1.9-1.1.mga6.src.rpm
glpi-9.1.6-1.mga6.src.rpm

Assignee: guillomovitch => qa-bugs
CC: qa-bugs => (none)
Status comment: Need feedback from maintainer if update candidate is OK => (none)

Comment 33 Len Lawrence 2018-02-12 17:57:50 CET
Mageia 6 :: x86_64

Installed the update packages.
Installed mysql and started mysqld.

# mysql -u root -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
Consulted https://www.tutorialspoint.com/mysql/ to find out how to set the root password.
# mysqladmin -u root password .........
mysqladmin: 
You cannot use 'password' command as mysqld runs
 with grant tables disabled (was started with --skip-grant-tables).
Use: "mysqladmin flush-privileges password '*'" instead

# mysqladmin flush-privileges password '............';
mysqladmin: 
You cannot use 'password' command as mysqld runs
 with grant tables disabled (was started with --skip-grant-tables).
Use: "mysqladmin flush-privileges password '*'" instead

# mysqladmin flush-privileges password '*';

So, no way to set a password.
Trying without:

# mysql -u root
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 12
MariaDB [(none)]> create database dbbglpi character set utf8;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> quit

As user:
$ mysql -u root
MariaDB [(none)]> use dbbglpi
Database changed
MariaDB [dbbglpi]> grant all privileges on dbbglpi.* to glpi@localhost identified by 'glpi';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
MariaDB [dbbglpi]> quit

That confirms that mysql needs a password.  That is as far as it goes.  Cannot test glpi.  Handing over to anybody else.
Comment 34 Len Lawrence 2018-02-12 18:24:45 CET
Addendum to comment 33:

Last ditch attempt - went to /etc/my.cnf and inserted the password there but was still denied access.
Comment 35 David Walser 2018-02-12 23:28:48 CET
Len, apparently as of Mageia 6, you need to run a script, I think called mysql_secure_installation or something like that, to set the password.  I think it is also documented on our wiki somewhere.
Comment 36 Len Lawrence 2018-02-12 23:56:12 CET
OK thanks.  I shall see if I can find it - not tonight though.
Comment 37 Len Lawrence 2018-02-12 23:59:05 CET
It even has a man page: mysql_secure_installation.
Comment 38 Len Lawrence 2018-02-13 00:04:54 CET
OK, can login now.  Continuing tomorrow.
Comment 39 Len Lawrence 2018-02-13 11:25:54 CET
For the uninitiated - glpi is an "IT asset and inventory management" system.

$ mysql -u root -p
Enter password: 
MariaDB [(none)]> use dbbglpi
Database changed
MariaDB [dbbglpi]> grant all privileges on dbbglpi.* to glpi@localhost identified by 'glpi';
Query OK, 0 rows affected (0.00 sec)

MariaDB [dbbglpi]> flush privileges;
Query OK, 0 rows affected (0.01 sec)


Pointed browser at localhost/glpi which displayed the glpi setup screen.
Agreed to the licence terms and selected upgrade.
That displayed the environment compatibility chart, step 0.  One red comment:
"fileinfo extension is missing"
and four orange warnings about missing extensions, which can be ignored.
Looks like the user cannot get past this point without the fileinfo plugin.
Did some browsing and came across this message in a forum:
"Fileinfo extension of your parser PHP is not installed"

$ sudo urpmi php-fileinfo
$ sudo systemctl restart httpd

Back to glpi, continued to step 1 and tried to connect to a database (does not give a database name option, just a login).  Tried root and the mysql password and the connection attempt timed out. Users like cactus, and joebloggs were presented, fossils from an earlier time, and a new user suzy.  Went back to the login step and entered dbbglpi in the SQL server field, replacing mysql.  Timeout with "The action you have requested is not allowed".  Blundering on, restarted the interface and placed mysqld in the server field then logged in as 'root'.  Timeout again.

I think it is time to give up on this.  Seven hours work and nothing to show for it.
Comment 40 Len Lawrence 2018-02-13 11:55:48 CET
This trained monkey has just spotted what looks like a silly mistake.
Trying to mend it.
MariaDB [dbbglpi]> grant all privileges on dbbglpi.* to root@localhost identified by 'root';
Query OK, 0 rows affected (0.00 sec)

But no, it still times out in glpi setup.
Comment 41 Len Lawrence 2018-02-13 12:05:53 CET
Added 'flush privileges;'

Still times out.
Comment 42 Len Lawrence 2018-02-13 14:09:44 CET
And now I have screwed things completely.  Locked out of mysql - no longer responds to the 'root' password.  That was after trying to run mysql_secure_installation again.  Looks like it can be used only once.  Just wanted to run through the options to see if I had done something wrong because there seems to be no solution to the database problems here.  I have always regarded databases as a nightmare - should have left the whole subject alone.
Comment 43 Len Lawrence 2018-02-13 14:36:59 CET
Moved to another machine, installed task-lamp, php-fileinfo and started mysqld.
Ran mysql_secure_installation to set the password for mysql.  No apparent problem.
$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 12
Server version: 10.1.30-MariaDB Mageia MariaDB Server
MariaDB [(none)]> create database glpi character set utf8;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on glpi.* to root@localhost identified by 'root';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements


???
Comment 44 Len Lawrence 2018-02-13 15:02:29 CET
MariaDB [glpi]> drop database glpi;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> create database ddbglpi character set utf8;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> grant all privileges on dbbglpi.* to root@localhost identified by 'root';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> use dbbglpi
ERROR 1049 (42000): Unknown database 'dbbglpi'
Comment 45 Herman Viaene 2018-02-13 15:22:20 CET
MGA6-32 on Lenovo B50 Plasma
Installed packages plus mysql (was not there before
Ref to comments 4 and 5 for the installation of the database, thus
# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 10.1.30-MariaDB Mageia MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database dbbglpi character set utf8;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on dbbglpi.* to glpi@localhost identified by 'glpi';
Query OK, 0 rows affected (0.00 sec)
But then, pointing to http://localhost/glpi gave me error 404. I checked the http conf files but could not find anything wrong,and logs had noinfo either.
I wanted to see if the CLI would give anything away, so I closed firefox, started it from the CLI as normal user and now I get the setup screen from http://localhost/glpi.
Inveestigating further.
Comment 46 Herman Viaene 2018-02-13 15:29:42 CET
Co,tinuing setup goes on, in the end report all is OK, except "APCu extension is not present"
Continuing, logging in with glpi/glpi, selecting database created above, and setup finishes successfully.
Displaying:
De installatie is voltooid

Standaard gebruikersnaam/wachtwoord zijn:

    glpi/glpi voor de beheerder/administrator account
    tech/tech voor de technische gebruiker
    normal/normal voor het normal account
    post-only/post-only voor het 'alleen posten'-gebruikersaccount

U kunt deze gebruikers verwijderen of wijzigen, net als de intiële waarden in de databank

Installation iscompleted etc.....
So seems OK, but I do nt understand why I had to restart firefox to get going.

Whiteboard: (none) => MGA6-64-OK

Comment 47 Len Lawrence 2018-02-13 16:05:57 CET
Drawing a line under this for x86_64.  The update is not about mysql and  the update enables the glpi interface to work up to the point of failing to connect to the database, which means that glpi cannot be exercized.  It is probably OK; just needs somebody who knows what they are doing in mysql to confirm that.

@herman - re comment 45
Did you have to create the glpi user and if not, how did you set a password for it?  I had already tried the glpi user and hit a brick wall at the password in the web interface.
Comment 48 Herman Viaene 2018-02-13 16:33:53 CET
@ Len
First AFAICS in your last try you missed the editing of /etc/my.cnf.d/cracklib_password_check.cnf, that causes the password issue in the beginning.
Second is - no offence meant - that I think you are grappling with system (Linux)-users and database users. They have nothing to do with each other. But for ease of use (and apparently confusion) they often have the same name.
So the system user glpi is created with the installation of the package, but it never comes into play in the rest of the configuration.
The statement in mysql: grant all privileges on dbbglpi.* to glpi@localhost identified by 'glpi';
puts you on the wrong foot: it seems to create the database user "glpi" on the fly, so after that, you have nothing to do with it. "Identified by" is in mysql-ese setting the password, the identity is glpi@localhost. In phpmyadmin, you would see a user "glpi".
Comment 49 Len Lawrence 2018-02-13 17:25:20 CET
Thanks for the comments.  
I thought that the mysql_secure_installation was supposed to take care of the password problem but I shall try the cracklib business.

No offence taken.  Claire explained to me long ago that mysql users have nothing in common with desktop users.  However I found that by default the mysql user is called 'root'.
If any other mysql name is used the mysql password does not work.

Yes, I suspected that the database user glpi was created on the fly but thought 'identified by' would have the rational meaning.  I certainly did not realize that it meant password.  Thanks for the insight.  I have not found a good tutorial for mysql yet.
Comment 50 claire robinson 2018-02-13 17:30:04 CET
Testing mga6 64 Fresh-ish Vbox

tl;dr; Seems to be missing a require on php-fileinfo, otherwise ok.

Installed task-lamp, uninstalled proftpd (just unwanted). Restarted mysqld and httpd services. Ran mysql_secure_installation and set a (mariadb/mysql) root password, etc.


Before
------
# mysql -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.1.30-MariaDB Mageia MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create user glpi@localhost identified by 'glpi';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
MariaDB [(none)]> create user glpi@localhost identified by 'glpiglpi';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
MariaDB [(none)]> create user glpi@localhost identified by 'glpi1234';
Query OK, 0 rows affected (0.09 sec)

MariaDB [(none)]> create database glpi;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on glpi.* to glpi@localhost;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit;
Bye


# urpmi glpi

Browsing to http://localhost/glpi presents a blank screen.


After
-----
# urpmi glpi php-zetacomponents-base

$MIRRORLIST: media/core/updates_testing/glpi-9.1.6-1.mga6.noarch.rpm
$MIRRORLIST: media/core/updates_testing/php-zetacomponents-base-1.9-1.1.mga6.noarch.rpm 
...etc


Browsing to http://localhost/glpi redirects to the installer at http://localhost/glpi/install/install.php

The installer fails when checking requirements..
"fileinfo extension is missing"

Unable to continue the installation without first installing php-fileinfo, so seems a missing require.

Also seemed to need to manually restart httpd before it could proceed.

Gave database connection details..
SQL Server - localhost
SQL User - glpi
SQL Password - glpi1234

Selected to use the glpi databse earlier created and clicked through the rest of the setup.

Noted the default users.

Default logins / passwords are:

    glpi/glpi for the administrator account
    tech/tech for the technician account
    normal/normal for the normal account
    post-only/postonly for the postonly account

Logged in a glpi/glpi and ignored the request to change password.Created a computer on the system and logged out.


Removed datase/user and tidied up.
# mysql -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 50
Server version: 10.1.30-MariaDB Mageia MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> drop database glpi;
Query OK, 245 rows affected (0.02 sec)

MariaDB [(none)]> drop user glpi@localhost;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit;
Bye

# urpme glpi

Whiteboard: MGA6-64-OK => MGA6-64-OK feedback

Comment 51 Len Lawrence 2018-02-13 17:37:54 CET
$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 26
Server version: 10.1.30-MariaDB Mageia MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> grant all privileges on ddbglpi.* to glpi@localhost identified by '........';
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> 


Back to the web interface -> install
settings were mysql, glpi, <password>
Failed to connect.

Sigh!  24 hours and counting...
Comment 52 Herman Viaene 2018-02-13 17:44:23 CET
@ Len
You seem to have missed the "create database ......" That database should appear in the list.
Comment 53 Len Lawrence 2018-02-13 17:53:04 CET
Re comment 50:

A bit of extra information there.  So the server is 'localhost'.  I used 'mysql' thinking it meant the server type.

Corrected that to localhost and glory be - an immediate connection.
Continued to the management interface with the personal view.  It looks functional.

Thanks for testing Claire.  Giving this the OK for 64 bits.

@Herman.  No, the database was created earlier.  All is well now; gradually learning the language.
Comment 54 claire robinson 2018-02-13 17:58:13 CET
Welcome. I am trying to still keep an eye on you all :)

There seems to be a missing require on php-fileinfo. If that can be added, a quick check with urpmq would suffice.
Guillaume Rousse 2018-02-13 19:58:30 CET

CC: guillomovitch => (none)

Comment 55 David Walser 2018-02-16 20:40:14 CET
Guillaume, I know it can generate a lot of e-mails, but please leave yourself CC'd for your packages.  The package is missing a requires on php-fileinfo, so your help is needed.

CC: (none) => guillomovitch

Comment 56 Guillaume Rousse 2018-02-19 21:20:31 CET
glpi-9.1.6-2.mga6 submitted in updates_testing, with php-fileinfo dependency added.
Comment 57 David Walser 2018-02-22 23:25:37 CET
Thanks!  I think we can validate this one.

Whiteboard: MGA6-64-OK feedback => MGA6-64-OK

Len Lawrence 2018-02-23 11:25:46 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-02-24 19:43:10 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 58 Mageia Robot 2018-02-25 00:26:15 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0135.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.