Permission issues on hardened server. #5840

New Issue

Closed

opened 2025-12-29 19:33:23 +01:00 by adam · 1 comment

adam commented 2025-12-29 19:33:23 +01:00

Owner

Copy Link

Originally created by @joubbi on GitHub (Dec 28, 2021).

NetBox version

v3.1.2

Python version

3.9

Steps to Reproduce

1. Install RHEL 8.5
2. Harden it with https://github.com/dev-sec/ansible-collection-hardening
3. Install Netbox according to https://netbox.readthedocs.io/en/stable/installation

Expected Behavior

The installation should succeed.

Observed Behavior

The netbox.service does not start due to permission problems.

$ sudo systemctl status netbox
[sudo] password for user01: 
● netbox.service - NetBox WSGI Service
   Loaded: loaded (/etc/systemd/system/netbox.service; enabled; vendor preset: disabled)
   Active: activating (auto-restart) (Result: exit-code) since Tue 2021-12-28 16:20:48 CET; 1s ago
     Docs: https://netbox.readthedocs.io/en/stable/
  Process: 32199 ExecStart=/opt/netbox/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox/netbox --config /opt/netbox/gunicorn.py netbox.wsgi (code=exited, status=203/EXEC)
 Main PID: 32199 (code=exited, status=203/EXEC)

Dec 28 16:20:48 rhel8-hardened.company.lan systemd[1]: netbox.service: Failed with result 'exit-code'.

Dec 28 15:55:17 rhel8-hardened systemd[31508]: netbox-rq.service: Failed to execute command: Permission denied
Dec 28 15:55:17 rhel8-hardened systemd[31508]: netbox-rq.service: Failed at step EXEC spawning /opt/netbox/venv/bin/python3: Permission denied
Dec 28 15:55:17 rhel8-hardened systemd[31509]: netbox.service: Failed to execute command: Permission denied
Dec 28 15:55:17 rhel8-hardened systemd[31509]: netbox.service: Failed at step EXEC spawning /opt/netbox/venv/bin/gunicorn: Permission denied
Dec 28 15:55:17 rhel8-hardened systemd[1]: netbox-rq.service: Main process exited, code=exited, status=203/EXEC
Dec 28 15:55:17 rhel8-hardened systemd[1]: netbox-rq.service: Failed with result 'exit-code'.
Dec 28 15:55:17 rhel8-hardened systemd[1]: netbox.service: Main process exited, code=exited, status=203/EXEC
Dec 28 15:55:17 rhel8-hardened systemd[1]: netbox.service: Failed with result 'exit-code'.

I understand that this is due to the file permissions set to be very restrictive by the hardening of the system:

total 36
drwx------.  9 root   root  248 Dec 28 14:50 circuits
drwx------. 11 root   root 4096 Dec 28 14:50 dcim
drwx------. 12 root   root 4096 Dec 28 14:50 extras
-rwx------.  1 root   root  277 Dec 28 14:36 generate_secret_key.py
drwx------. 11 root   root 4096 Dec 28 14:50 ipam
-rwx------.  1 root   root  249 Dec 28 14:36 manage.py
drwx------.  4 netbox root   56 Dec 28 14:36 media
drwx------.  8 root   root 4096 Dec 28 14:50 netbox
drwx------.  8 root   root  259 Dec 28 14:36 project-static
drwx------.  2 root   root   25 Dec 28 14:36 reports
drwx------.  2 root   root   25 Dec 28 14:36 scripts
drwx------. 11 root   root 4096 Dec 28 14:50 static
drwx------. 18 root   root 4096 Dec 28 14:36 templates
drwx------.  9 root   root  230 Dec 28 14:50 tenancy
drwx------.  7 root   root  222 Dec 28 14:50 users
drwx------.  9 root   root 4096 Dec 28 14:50 utilities
drwx------.  8 root   root  233 Dec 28 14:50 virtualization
drwx------.  8 root   root  287 Dec 28 14:50 wireless

The service starts if I modify /etc/systemd/system/netbox.serviceand change user=netbox to user=root.
But this is a bad idea and not the proper way to solve this.

I understand that my system is not like most other newly installed EL8 systems, but I think that the proper/needed file permissions should be documented or preferably set by the upgrade script upgrade.sh.

Originally created by @joubbi on GitHub (Dec 28, 2021). ### NetBox version v3.1.2 ### Python version 3.9 ### Steps to Reproduce 1. Install RHEL 8.5 2. Harden it with https://github.com/dev-sec/ansible-collection-hardening 3. Install Netbox according to https://netbox.readthedocs.io/en/stable/installation ### Expected Behavior The installation should succeed. ### Observed Behavior The netbox.service does not start due to permission problems. ``` $ sudo systemctl status netbox [sudo] password for user01: ● netbox.service - NetBox WSGI Service Loaded: loaded (/etc/systemd/system/netbox.service; enabled; vendor preset: disabled) Active: activating (auto-restart) (Result: exit-code) since Tue 2021-12-28 16:20:48 CET; 1s ago Docs: https://netbox.readthedocs.io/en/stable/ Process: 32199 ExecStart=/opt/netbox/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox/netbox --config /opt/netbox/gunicorn.py netbox.wsgi (code=exited, status=203/EXEC) Main PID: 32199 (code=exited, status=203/EXEC) Dec 28 16:20:48 rhel8-hardened.company.lan systemd[1]: netbox.service: Failed with result 'exit-code'. ``` ``` Dec 28 15:55:17 rhel8-hardened systemd[31508]: netbox-rq.service: Failed to execute command: Permission denied Dec 28 15:55:17 rhel8-hardened systemd[31508]: netbox-rq.service: Failed at step EXEC spawning /opt/netbox/venv/bin/python3: Permission denied Dec 28 15:55:17 rhel8-hardened systemd[31509]: netbox.service: Failed to execute command: Permission denied Dec 28 15:55:17 rhel8-hardened systemd[31509]: netbox.service: Failed at step EXEC spawning /opt/netbox/venv/bin/gunicorn: Permission denied Dec 28 15:55:17 rhel8-hardened systemd[1]: netbox-rq.service: Main process exited, code=exited, status=203/EXEC Dec 28 15:55:17 rhel8-hardened systemd[1]: netbox-rq.service: Failed with result 'exit-code'. Dec 28 15:55:17 rhel8-hardened systemd[1]: netbox.service: Main process exited, code=exited, status=203/EXEC Dec 28 15:55:17 rhel8-hardened systemd[1]: netbox.service: Failed with result 'exit-code'. ``` I understand that this is due to the file permissions set to be very restrictive by the hardening of the system: ```# ls -l /opt/netbox/netbox/ total 36 drwx------. 9 root root 248 Dec 28 14:50 circuits drwx------. 11 root root 4096 Dec 28 14:50 dcim drwx------. 12 root root 4096 Dec 28 14:50 extras -rwx------. 1 root root 277 Dec 28 14:36 generate_secret_key.py drwx------. 11 root root 4096 Dec 28 14:50 ipam -rwx------. 1 root root 249 Dec 28 14:36 manage.py drwx------. 4 netbox root 56 Dec 28 14:36 media drwx------. 8 root root 4096 Dec 28 14:50 netbox drwx------. 8 root root 259 Dec 28 14:36 project-static drwx------. 2 root root 25 Dec 28 14:36 reports drwx------. 2 root root 25 Dec 28 14:36 scripts drwx------. 11 root root 4096 Dec 28 14:50 static drwx------. 18 root root 4096 Dec 28 14:36 templates drwx------. 9 root root 230 Dec 28 14:50 tenancy drwx------. 7 root root 222 Dec 28 14:50 users drwx------. 9 root root 4096 Dec 28 14:50 utilities drwx------. 8 root root 233 Dec 28 14:50 virtualization drwx------. 8 root root 287 Dec 28 14:50 wireless ``` The service starts if I modify `/etc/systemd/system/netbox.service`and change `user=netbox` to `user=root`. But this is a bad idea and not the proper way to solve this. I understand that my system is not like most other newly installed EL8 systems, but I think that the proper/needed file permissions should be documented or preferably set by the upgrade script `upgrade.sh`.

adam closed this issue 2025-12-29 19:33:23 +01:00

adam commented 2025-12-29 19:33:24 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Dec 28, 2021):

If you alter the default permissions of the system, you'll also need to modify the steps provided in the NetBox documentation to accommodate the changes you made, or revert them. This is not something the NetBox documentation can or should address.

@jeremystretch commented on GitHub (Dec 28, 2021): If you alter the default permissions of the system, you'll also need to modify the steps provided in the NetBox documentation to accommodate the changes you made, or revert them. This is not something the NetBox documentation can or should address.

adam referenced this issue 2025-12-29 22:25:24 +01:00

[PR #6143] [MERGED] Release v2.10.9 #13100

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#5840