[vbox-dev] [PATCH] VirtualBox docs for VDE fix

Renzo Davoli renzo at cs.unibo.it
Mon Feb 27 02:02:37 PST 2012

On Mon, Feb 27, 2012 at 10:38:15AM +0100, Klaus Espenlaub wrote:
> Hi Alexey,
> the proposed docs patch isn't acceptable. It means drilling an 
> unnecessary big hole into the access rights system. Don't assume that 
> you're the only user on the system. If we document things this way 
> people will report security issues in the manual.
> Solutions which use groups or other approaches are welcome...

I don't know if it helps:
vde_switch permits access mode and group to be defined in its command
line (without the need of a chmod).

vde_switch -s /tmp/switch1 -mod 0770 -group mygroup

Users can start their own switches with the permissions they like.
The only limitation is the access to a tap interface, as a user
it is (clearly) forbidden.

We use two methods:
1- we start one or more vde_switches at boot time (using a /etc/init.d
script). IP addresses(e.g. dhcp, IPv6 autoconfiguration)/routing is
defined for each switch by the sysadm.
Users' virtual machines are allowed to join the switches depending on the
permission defined. (typically group based permissions as above).
This approach is similar to a LAN in a lab where users are allowed to
plug their machines. IF there are more labs, users can join the LANs of 
the labs they are allowed to enter. 
We use this for the VM of our students: lot of users, a few tap 
2- it is possible to pre-allocate tap interfaces using tunctl or our 
vde_tunctl, and assign them to specific users.
Each user can then start his/her vde_switch and connect it to his/her own
tap. (one tap for each user).


More information about the vbox-dev mailing list