Opened 14 months ago
Last modified 2 months ago
#21809 new defect
Unshared Folder Seems Accessible via Symbolic Links — at Version 3
| Reported by: | hit1t | Owned by: | |
|---|---|---|---|
| Component: | shared folders | Version: | VirtualBox-6.1.44 |
| Keywords: | Cc: | hit1t | |
| Guest type: | Windows | Host type: | Linux |
Description (last modified by )
Hi,
I wanted to discuss something that has caught my attention and might need a bit of assistance. It's related to security, and I believe we've stumbled upon a minor hiccup. Here's what I've observed:
Shared Folder: /home/hit1t/Desktop/OnlySharedFolder
Test Folder: /home/hit1t/test
To provide you with a complete picture, I established a symbolic link to the Test Folder on my Desktop using this command:
ln -s /home/hit1t/test ~/Desktop/test
Now, here comes the interesting part: When I moved this symlink file to the shared directory, it surprisingly allowed access to the 'Test' folder from the Guest OS. This caught my attention because it has the potential to allow users access to information that hasn't been explicitly shared, which could inadvertently compromise security.
Wondering your thoughts on this, thanks
Change History (3)
comment:1 by , 14 months ago
| Description: | modified (diff) |
|---|
comment:2 by , 14 months ago
comment:3 by , 14 months ago
| Description: | modified (diff) |
|---|


Replying to hit1t:
I'll assume that you meant that you moved the symlink, not the linked folder.
The VirtualBox User Manual (Shared Folders) documents that symlinks are supported and that the guest by default cannot create symlinks itself. Therefore, I think that the behavior you've described is deliberate.
It is the responsibility of the host's admin when they create a link leading from a shared folder to resources outside of it. Users with access to the shared folder from the host itself (without using a VirtualBox VM) can follow the link, and users inside a VirtualBox VM are probably intended to use the shared folder and anything within (including the symlink) the same way.
Disclaimer: I'm not working for Oracle or the VirtualBox development, so this is just my two cents.