[Q&A] Security Implications for Personal Machines #629
-
Documentation & bug reporting acknowledgmentYes, I read it Describe your problemI have received a question, about instituions asking people to install glpi-agent to their >>Personal<< computers. The purpose, is managing inventory of the computers used within instituion's internal network. But, as far as I understand, the agent is capable of running remote tasks on the computer that it is installed to? Could you provide a bit of information about such a scenario? Is asking people to install this to their personal computers a malicious use of the software? Or is it one of the proper use cases? What are the implications for the user? Thanks. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
the agent can run few kind of tasks, but it will only be able to run the installed one. The ones which are always installed are "Inventory" and "RemoteInventory" tasks. Their purpose is only to collect datas and submit them to the server: they can't be used to modify the computer. Other tasks, which you can decide to not install, are "Collect", "ESX", "NetDiscovery", "NetInventory" and "Deploy". The 4 ones are like "Inventory" and "RemoteInventory": they collect datas and submit them to GLPI server. Indeed, only the "Deploy" task can be used to install softwares or modify the computer. But only GLPI Administrators can create such requests. If the user trust you as GLPI Administrator, this remains safe. So, if your purpose is just to collect the computer data, you can manage to just install the "Inventory" one. So the only security implication for the personal computer is to guaranty this software is not coming with a security hole. Anyway, there's another point, as you won't probably manage yourself the computer, you'll have to ask each user to update themselves GLPI-Agent. This may be a problem if they forget to update and a security hole has been found between the installed version and the current upstream one. But of course, this is the same problem for any other software. Also I would recommend to not install as a service in such case, but maybe as a planned task, one time a week, a month or so. Eventually, you can even just request a one time run if this is sufficient for your purpose. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for detailed explanations! I think it covers what I wanted to know.
In our scenario setting;
So what I understand for this scenario is; as long as I do not install/enable "Deploy" task.. system admins cannot compromise my personal machine by design, even if I install and configure GLPI Agent as they instruct. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, you're right in your scenario: as administrator of your personal computer, you will remain the only one. |
Beta Was this translation helpful? Give feedback.
Hi @furkanmustafa
the agent can run few kind of tasks, but it will only be able to run the installed one. The ones which are always installed are "Inventory" and "RemoteInventory" tasks. Their purpose is only to collect datas and submit them to the server: they can't be used to modify the computer.
Other tasks, which you can decide to not install, are "Collect", "ESX", "NetDiscovery", "NetInventory" and "Deploy". The 4 ones are like "Inventory" and "RemoteInventory": they collect datas and submit them to GLPI server.
Indeed, only the "Deploy" task can be used to install softwares or modify the computer. But only GLPI Administrators can create such requests. If the user trust you as GLPI A…