[vbox-dev] Hardening levels in VBox OSE?

Knut St. Osmundsen bird at sun.com
Tue Mar 23 05:51:58 PDT 2010


On Mar 23, 2010, at 12:53 PM, Angel Tsankov wrote:

> Frank Mehnert wrote:
>> On Tuesday 23 March 2010, Angel Tsankov wrote:
>>> Frank Mehnert wrote:
>>>> On Tuesday 23 March 2010, Angel Tsankov wrote:
>>>>> Is there any way to disable the root ownership and group/other
>>>>> writability checks on directories in VBox OSE?
>>>> ./configure --disable-hardening
>>>> 
>>>> ?
>>> How about some way that does not disable hardening at all?
>> If hardenening is enabled the binaries must be suid root to be
>> able to access the kernel driver. All these checks ensure the
>> integrity of the VirtualBox installation. Either hardening is
>> enabled (which is strongly recommended) or it is disabled (usually
>> for development only). There is no 'weak' hardening.
> 
> I guess it will be much easier if I just explain what I want to achieve so that you can tell me how to do it, if it is at all possible.
> 
> So, I'd like to install VBox OSE in the standard directories, i.e. binaries in /usr/bin/, shared libraries below /usr/lib/, docs below /usr/share/doc/, etc. I also want all standard directories to be group writable.  This is not possible with a hardened build, is it?


No, it's not possible.  Hardened == paranoid + simple, so, we do not want to run the risk that someone has added themselves to the root group.

--

Kind regards / Mit freundlichen Gruessen / Vennlig hilsen,
  Knut

--

Sun Microsystems GmbH        Knut St. Osmundsen
Werkstrasse 24               Senior Staff Engineer, VirtualBox
71384 Weinstadt, Germany     mailto:bird at sun.com

==================================================
Sitz der Gesellschaft: Sun Microsystems GmbH,
Sonnenallee 1, D-85551 Kirchheim-Heimstetten
Amtsgericht Muenchen: HRB 161028
Gesch?ftsf?hrer: Thomas Schroeder, Wolfgang Engels
Vorsitzender des Aufsichtsrates: Martin Haering
==================================================





More information about the vbox-dev mailing list