[vbox-dev] Access to vboxdrv

Knut St. Osmundsen bird at sun.com
Mon Sep 7 02:39:26 PDT 2009


Lubomir Rintel wrote:
> Hi,
> 
> After RPM that targets Fedora 12 gained support for filesystem
> capabilities, we've stripped off the setuid bit from VirtualBox-OSE in
> development branch of RPM Fusion (repository that contains packages of
> VirtualBox-OSE for Fedora). As it no longer starts with root privileges,
> hardening is meaningless so we disabled it.

Using file system capabilities is not sufficient here, I think.  We need
to be a (setuid) root process to exclude non-trusted (non-root
installed) binaries from opening /dev/vboxdrv and for establish that our
binaries haven't been tampered with (by anyone other than root).

> In order to be possible for ordinary user to run guest machines, I
> chmodded it to 666 mode for now. Given I don't really know what does
> access to vboxdrv grant to the use I'm not really sure if I didn't just
> create a security hole. Could anyone please provide an opinion on this?

Do no ever make /dev/vboxdrv 0666.  Heed the warning at the end of
configure.  I strongly advice you to go back to having set-user-ID-root
binaries and close up /dev/vboxdrv for non-root access.

-- 

Kind regards / Mit freundlichen Gruessen / Vennlig hilsen,
  Knut

--

Sun Microsystems GmbH        Knut St. Osmundsen
Werkstrasse 24               Senior Staff Engineer, VirtualBox
71384 Weinstadt, Germany     mailto:bird at sun.com


================================================
Sitz der Gesellschaft: Sun Microsystems GmbH,
Sonnenallee 1, 85551 Kirchheim-Heimstetten
Amtsgericht Muenchen: HRB 161028
Geschaeftsfuehrer: Thomas Schroeder,
Wolfgang Engels, Wolf Frenkel
Vorsitzender des Aufsichtsrates: Martin Haering
================================================




More information about the vbox-dev mailing list