[vbox-dev] Hardening levels in VBox OSE?
Knut St. Osmundsen
bird at sun.com
Tue Mar 23 05:51:58 PDT 2010
On Mar 23, 2010, at 12:53 PM, Angel Tsankov wrote:
> Frank Mehnert wrote:
>> On Tuesday 23 March 2010, Angel Tsankov wrote:
>>> Frank Mehnert wrote:
>>>> On Tuesday 23 March 2010, Angel Tsankov wrote:
>>>>> Is there any way to disable the root ownership and group/other
>>>>> writability checks on directories in VBox OSE?
>>>> ./configure --disable-hardening
>>> How about some way that does not disable hardening at all?
>> If hardenening is enabled the binaries must be suid root to be
>> able to access the kernel driver. All these checks ensure the
>> integrity of the VirtualBox installation. Either hardening is
>> enabled (which is strongly recommended) or it is disabled (usually
>> for development only). There is no 'weak' hardening.
> I guess it will be much easier if I just explain what I want to achieve so that you can tell me how to do it, if it is at all possible.
> So, I'd like to install VBox OSE in the standard directories, i.e. binaries in /usr/bin/, shared libraries below /usr/lib/, docs below /usr/share/doc/, etc. I also want all standard directories to be group writable. This is not possible with a hardened build, is it?
No, it's not possible. Hardened == paranoid + simple, so, we do not want to run the risk that someone has added themselves to the root group.
Kind regards / Mit freundlichen Gruessen / Vennlig hilsen,
Sun Microsystems GmbH Knut St. Osmundsen
Werkstrasse 24 Senior Staff Engineer, VirtualBox
71384 Weinstadt, Germany mailto:bird at sun.com
Sitz der Gesellschaft: Sun Microsystems GmbH,
Sonnenallee 1, D-85551 Kirchheim-Heimstetten
Amtsgericht Muenchen: HRB 161028
Gesch?ftsf?hrer: Thomas Schroeder, Wolfgang Engels
Vorsitzender des Aufsichtsrates: Martin Haering
More information about the vbox-dev