Index: /trunk/src/VBox/Installer/linux/vboxautostart-service.sh
===================================================================
--- /trunk/src/VBox/Installer/linux/vboxautostart-service.sh	(revision 88523)
+++ /trunk/src/VBox/Installer/linux/vboxautostart-service.sh	(revision 88524)
@@ -89,4 +89,29 @@
 }
 
+valid_db_entry() {
+
+    entry="$1"
+    [ -z "$entry" ] && return 1
+
+    user="$2"
+    [ -z "$user" ] && return 1
+
+    user_name=$(id -n -u "$user" 2>/dev/null)
+    [ -z "$user_name" ] && return 1
+
+    user_id=$(id -u "$user" 2>/dev/null)
+
+    # Verify that @user identifies a user *by name* (i.e. not a numeric id).
+    # Careful, all numeric user names are legal.
+    if [ "$user_id" = "$user" ] && [ "$user_name" != "$user" ]; then
+        return 1
+    fi
+
+    # Verify whether file name is the same as file owner name.
+    [ -z "$(find "$entry" -user "$user" -type f 2>/dev/null)" ] && return 1
+
+    return 0
+}
+
 start() {
     [ -z "$VBOXAUTOSTART_DB" ] && exit 0
@@ -102,7 +127,11 @@
     unset VBOX_RELEASE_LOG_DEST
 
-    for user in `ls $VBOXAUTOSTART_DB/*.start`
+    for entry in "$VBOXAUTOSTART_DB"/*.start
     do
-        start_daemon `basename $user | sed -ne "s/\(.*\).start/\1/p"` $binary $PARAMS > /dev/null 2>&1
+        user=$(basename "$entry" .start)
+        [ "$user" = "*" ] && break
+        valid_db_entry "$entry" "$user" || continue
+
+        start_daemon "$user" "$binary" $PARAMS > /dev/null 2>&1
     done
 
@@ -119,7 +148,11 @@
     unset VBOX_RELEASE_LOG_DEST
 
-    for user in `ls $VBOXAUTOSTART_DB/*.stop`
+    for entry in "$VBOXAUTOSTART_DB"/*.stop
     do
-        start_daemon `basename $user | sed -ne "s/\(.*\).stop/\1/p"` $binary $PARAMS > /dev/null 2>&1
+        user=$(basename "$entry" .stop)
+        [ "$user" = "*" ] && break
+        valid_db_entry "$entry" "$user" || continue
+
+        start_daemon "$user" "$binary" $PARAMS > /dev/null 2>&1
     done