Opened 12 years ago
Last modified 5 years ago
#10534 new defect
Virtualbox overrides umask, making it unusable for shared setup
| Reported by: | Harri | Owned by: | |
|---|---|---|---|
| Component: | host support | Version: | VirtualBox 4.1.14 |
| Keywords: | Cc: | ||
| Guest type: | other | Host type: | Linux |
Description
I want to setup Virtualbox to use a common directory to be used by any user who sits at the console (using VBOX_USER_HOME and the machinefolder property). Problem: The VirtualBox tools (GUI or command line) ignore umask and use 0600 instead. The next user runs into "permission denied" problems.
This makes it impossible for us to deploy VirtualBox as a replacement for VMware.
Change History (8)
comment:1 by , 12 years ago
comment:2 by , 12 years ago
It is true that VirtualBox does not respect umask for writing the configuration files. But on the other hand I don't get the point of the original reporter. VirtualBox configuration files are always per-user and there is no point to use the same files simultaneously by several users. If you try so then there will be races when configuration files are written.
If this should be a setup like 'create a common configuration once and then use it by another user', why not just copy the configuration directory?
comment:3 by , 10 years ago
Who said "simultaneously"? Why do you think that the config files are "per-user", when VB supports a VBOX_USER_HOME environment variable? Of course concurrent write access to these files and directories has to be blocked, but thats the case for a "single user approach" as well. ???
I had hoped for 4.3, but its just a disappointment wrt the umask issue. :-(
comment:4 by , 10 years ago
Any kind of sharing is not in our list of valid use cases. Who told you that the reason for having VBOX_USER_HOME is to share VMs? It's intended for separating several setups for ONE user (or to have a non-default place for the user's .VirtualBox directory).
comment:5 by , 10 years ago
The purpose of VBOX_USER_HOME is to relocate the configuration directory. Maybe I am too blind to see, but the documentation doesn't restrict this in any way to a single user account. Maybe this "single-user-only" approach goes without saying on Windows, but on Unix this is a bug (IMHO).
Please note that this umask issue is still the major concern of my colleagues against using Virtualbox. They prefer Vmware Workstation/Player, because Vmware guests are a lot easier to deploy. Using Vmware the admins manage the virtual hosts (without breaking into foreign user accounts), and the users "just use it". Is it too much to ask for to get the same for Virtualbox? Please remember that we are talking about the access bits to just a few config and image files.
comment:6 by , 10 years ago
VirtualBox has been designed with security in mind, and the insecurity of VM sharing through "umask 000" trickery is the reason why we don't consider adding this use case. It's something which is suspiciously close to the limits of the Oracle product security policy. We'd have to make this an option (because by default the setup has to be secure), and that means to support a tiny user base which deliberately wants this we have to implement a lot of special code. Sorry to day that, but such special features can't have a high priority, which means it'll take quite a while to get it done. How about someone contributing this? You said it's easy, just a few config and image file creation calls have to be fixed.
As an immediately available alternative: How about putting the VMs to be shared in a shared account, e.g. one named "vboxvms", which is accessible by the people who need this setup? That would actually be rather similar security wise, and is quite easy to set up for anyone with such special requirements.
comment:7 by , 10 years ago
People is asking something VBox guys are not willing to do. Period.
This may help:
http://superuser.com/questions/381416/forcing-group-and-permissions-for-created-file-inside-folder
comment:8 by , 5 years ago
This is a kludgy workaround, but it helps me move forward on a Debian host in light of this bug for using a VM across two different user accounts (NEVER simultaneously in both accounts, of course!):
cd {vm_folder}
sudo chmod -R gou+rw *
sudo chown root:root {vm_name}.vbox
sudo chown root:root .
sudo chmod go-w .
It basically prevents VirtualBox from changing the .vbox file, so you can use the VM across two different user accounts (I have my VMs stored in "/var/local/VirtualBox VMs"). I am using this for a WINE unfriendly Windows-only Bible study app running in Windows XP.
If you are using snapshots or want to change the VM settings, you'll need to undo these changes temporarily with the following:
cd {vm_folder}
sudo chmod go+w .
Hope this helps!
I can confirm that this same bug occurs with version 4.1.18.
Please, any solutions? any workarrounds?