[vbox-dev] Does NATNetwork require VBoxNetNAT to be suid?

Klaus Espenlaub klaus.espenlaub at oracle.com
Mon Apr 10 11:45:39 UTC 2017


Hi Larry,

On 09.04.2017 20:35, Larry Finger wrote:
> The openSUSE change log for VB 5.0.20 contains the line "* NAT Network:
> File VBoxNetNAT no longer requires suid". (See
> https://lists.opensuse.org/opensuse-updates/2016-06/msg00002.html) I am
> not able, however, to find the corresponding line in the Oracle version
> of the changelog at https://www.virtualbox.org/wiki/Changelog-5.0.

Because it doesn't exist. From what I can tell this change will simply 
sabotage NAT Network.

For doing its job VBoxNetNAT needs to connect to an internal network, 
and that's only possible (when hardening is in effect, which it should 
be on all serious packages) if it's suid root.

> Does anyone have any recollection of changes in suid for
> /usr/lib/virtualbox/VBoxNetNAT? My problem is that NATNetwork mode does
> not work unless I set suid for that file. I'm wondering if there is some
> other problem with the spec file that openSUSE is using to build our RPM.

Wonder if the error symptoms are too subtle, tricking the openSUSE 
package maintainer into thinking suid is optional in this case. It's not.

Klaus

>
> Thanks,
>
> Larry


More information about the vbox-dev mailing list