netbox-community
move LOGIN_REQUIRED from Optional Settings to Required Settings
Change Type
Correction
Area
Configuration
Proposed Changes
move LOGIN_REQUIRED from Optional Settings to Required Settings
LDAP is manually enabled for authentication, LOGIN_REQUIRED is set to False in configuration.py by default, anonymous users can view images-attachments without authentication. This behaviour is not well documented in "Optional Settings" section. Users are not warned. This could lead to information leak.
I setup my NetBox with LDAP credential for login, anonymous users can't login but they are still able to view images-attachments without authentication if they know the images-attachments URL.
With the below config, I think my NetBox is well protected but it is not.
LDAP REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'
LOGIN_REQUIRED=False
Only when I change to
LOGIN_REQUIRED=True MEDIA_ROOT = '/opt/netbox/netbox/media'
then the LoginRequiredMiddleware in urls.py start to kick in.
# Serving static media in Django to pipe it through LoginRequiredMiddleware path('media/<path:path>', serve, {'document_root': settings.MEDIA_ROOT}), path('media-failure/', StaticMediaFailureView.as_view(), name='media_failure'),
Given the severity, LOGIN_REQUIRED should be moved from Optional Settings to Required Settings, users are required to understand the risk and explictly set the variable.
Since the variable already exists in the configuration, what exactly are you expecting when you say it should be explicitly set in the configuration?
What I propose is a change to the documentation.
In the documentation https://demo.netbox.dev/static/docs/configuration/optional-settings/ LOGIN_REQUIRED should be moved from Optional Settings to Required Settings. Or n Security, Users should be encouraged to set it to "True" if they configure LDAD
In my case, NetBox configured with LDAP can still let anonymous users access sensitive images-attachments without authentication. This behaviour is not clearly documentated IMHO.
My suggestion is change the description for LOGIN_REQUIRED
LOGIN_REQUIRED Default: False
Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users are permitted to access most data in NetBox but not make any changes. Even authentication is configured, anonymous users are still permitted to access images-attachments if this is set to False.
Another issue I find is when I visit https://demo.netbox.dev/static/docs/configuration/optional-settings/ I don't see Security in left Side Navigation Menu.
Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users are permitted to access most data in NetBox but not make any changes.
From the documentation, it clearly states that most data is already accessible and this is defined under security.
Moving this to required settings will only make sense if we also change the code to ensure the value is set which doesn't really improve the quality of life as an administrator. Having said that, I'll mark this under review if another maintainer feels this change would benefit in any way to the users.
@marsteel you've made two conflicting statements:
move LOGIN_REQUIRED from Optional Settings to Required Settings
What I propose is a change to the documentation.
A required parameter must be defined in the configuration file by an administrator in order for NetBox to run. DATABASE and SECRET_KEY are examples of required parameters.
As LOGIN_REQUIRED is a boolean parameter, it makes little sense to require that it be explicitly defined: Its default value can only be true or false, and we've opted for false. If anything, I suspect you're actually arguing to change its default value to true.
Another issue I find is when I visit https://demo.netbox.dev/static/docs/configuration/optional-settings/ I don't see Security in left Side Navigation Menu.
The NetBox documentation is found at https://docs.netbox.dev/.
@jeremystretch
What I want to mention is when an administrator enables LDAP to protect NetBox but leaves LOGIN_REQUIRED to False by default, it will cause information leak. Like me, I thought I had enabled LDAP and no one can access NetBox without login. I was wrong. Someone can still access images attachments without login. I was not warned because LOGIN_REQUIRED is listed as Optional Setting. Who can image that when LDAP is applied and the Optional LOGIN_REQUIRED must be changed to True.
I happened to visit directly https://demo.netbox.dev/static/docs/configuration/optional-settings/ earlier somehow. LOGIN_REQUIRED is listed there as an Optional Setting. I can't find "Security" in the left navigation menu. So I didn't think it is a must when I configured LDAP.
The URL is in my browser history. And if I access that URL at this moment, the "Security" is not there. I don't why there is such inconsistency between https://docs.netbox.dev/ and https://demo.netbox.dev/static/docs/configuration/optional-settings/ . I suggest the information at https://demo.netbox.dev/static/docs/configuration/optional-settings/ should be updated or viewers should be redirected to https://docs.netbox.dev/