[vbox-dev] How does VBoxSVC support VMs executed by different users/security contexts at the same time?

Thorsten Schöning tschoening at am-soft.de
Sat May 1 12:04:47 GMT 2021 

Hi all,

I have two major problems with VBox and headless VMs on Windows
currently: 1. getting those executed at all using restricted,
non-admin users e.g. by the task scheduler. The 2. is if those
execute with e.g. an admin user, letting the GUI manage those headless
VMs. Instead, it often tells about COM-related problems when trying to
access the state etc. of known running VMs.

I'm have the strong feeling that all of those issues have to do with
permissions, group membership like if a started process is a member of
the group NT-AUTHORITY\INTERACTIVE etc. Now I've been pointed at the
docs where some basics about the used processes and there interaction
is described and found some pretty interesting sentences:

> VBoxSVC, the Oracle VM VirtualBox service process which always runs
> in the background. This process is started automatically by the
> first Oracle VM VirtualBox client process and exits a short time
> after the last client exits.[...]

> The service is responsible for bookkeeping, maintaining the state of
> all VMs, and for providing communication between Oracle VM
> VirtualBox components.[...]

> Oracle VM VirtualBox employs its own client/server design to allow
> its processes to cooperate, but all these processes run under the
> same user account on the host operating system, and this is totally
> transparent to the user.

https://www.virtualbox.org/manual/UserManual.html#technical-components

So how exactly is VBoxSVC started in case of e.g. headless started VMs
using some special acocunt?

What's the relationship between VBoxSVC and VBoxSDS? It doesn't seem
to be one and the same component, because I see different process
names.

When the task scheduler executes a headless VM, VBoxSVC is created for
the first time with the credentials and security context of the
executed task. In my case this e.g. might be a restricted default user
WITHOUT interactive login.

What happens when I interactively logon the same user to manage VMs
using the GUI or VBoxManage? Is the created process able to access the
already started instance of VBoxSVC? Doesn't seem to be the case
according my tests.

What happens when I use different users to exec multiple different
VMs? According the docs, there's only one VBoxSVC? But during my tests
I already saw multiple of those, which might make sense if it couldn't
be recognized that some are already running because of a lack of
permissions somehwere for some reason.

So how is access to VBoxSVC secured?

Is it possible to start VBoxSVC with some high privileges manually for
successful bookkeeping etc. only, while actually running individual
VMs by users with lower privileges?

Looking at the help of that process, I see the following output:

> /RegServer:     register COM out-of-proc server
> /UnregServer:   unregister COM out-of-proc server
> /ReregServer:   unregister and register COM server
> no options:     run the server

So is that process one of the installed COM-componentsn and if so,
which one? Only "Application" would make sense to me as "System
Service" seems to be "VBoxSDS" instead of "VBoxSVC".

> VirtualBox Application
> VirtualBox System Service

If it's one of those component, one could influence under which user
the process is executed in the "identity" setting. The default is the
user executing some app like GUI or VBoxManage, which might not be
compatible with task scheduler, headless, multiple different users
etc.

Mit freundlichen Grüßen

Thorsten Schöning

-- 
AM-SoFT IT-Service - Bitstore Hameln GmbH i.G.
Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK

E-Mail: Thorsten.Schoening at AM-SoFT.de
Web:    http://www.AM-SoFT.de/

Tel:   05151-  9468- 0
Tel:   05151-  9468-55
Fax:   05151-  9468-88
Mobil:  0178-8 9468-04

AM-SoFT IT-Service - Bitstore Hameln GmbH i.G., Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB neu - Geschäftsführer: Janine Galonska


Für Rückfragen stehe ich Ihnen sehr gerne zur Verfügung.

Mit freundlichen Grüßen

Thorsten Schöning


Tel: 05151 9468 0
Fax: 05151 9468 88
Mobil: 
Webseite: https://www.am-soft.de 

AM-Soft IT-Service - Bitstore Hameln GmbH i.G. ist ein Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK

AM-Soft IT-Service - Bitstore Hameln GmbH i.G.
Brandenburger Str. 7c
31789 Hameln
Tel: 05151 9468 0

Bitstore IT-Consulting GmbH
Zentrale - Berlin Lichtenberg
Frankfurter Allee 285
10317 Berlin
Tel: 030 453 087 80

CBS IT-Service - Bitstore Kaulsdorf UG
Tel: 030 453 087 880 1

Büro Dallgow-Döberitz
Tel: 03322 507 020

Büro Kloster Lehnin
Tel: 033207 566 530

PCE IT-Service - Bitstore Darmstadt UG
Darmstadt
Tel: 06151 392 973 0

Büro Neuruppin
Tel: 033932 606 090

ACI EDV Systemhaus - Bitstore Dresden GmbH
Dresden
Tel: 0351 254 410

Das Systemhaus - Bitstore Magdeburg GmbH
Magdeburg
Tel: 0391 636 651 0

Allerdata.IT - Bitstore Wittenberg GmbH
Wittenberg
Tel: 03491 876 735 7

Büro Liebenwalde
Tel: 033054 810 00

HSA - das Büro - Bitstore Altenburg UG
Altenburg
Tel: 0344 784 390 97

Bitstore IT – Consulting GmbH
NL Piesteritz 
Piesteritz
Tel: 03491 644 868 6

Solltec IT-Services - Bitstore Braunschweig UG
Braunschweig
Tel: 0531 206 068 0

MF Computer Service - Bitstore Gütersloh GmbH
Gütersloh
Tel: 05245 920 809 3

Firmensitz: AM-Soft IT-Service - Bitstore Hameln GmbH i.G. , Brandenburger Str. 7c , 31789 Hameln
Geschäftsführer Janine Galonska

More information about the vbox-dev mailing list