VirtualBox

Ticket #7099 (new enhancement)

Opened 4 years ago

Last modified 3 years ago

Password protection - deny virtual box from running without entering a password.

Reported by: avi_m1968 Owned by:
Priority: trivial Component: VM control
Version: VirtualBox 3.2.6 Keywords:
Cc: Guest type: Linux
Host type: Windows

Description

Hello

I wrote about this in the suggestions forum and i was told to add this here as an enhancement feature.

We have a server running special analysis software with several VBOXES installed on it.

Each VBox assigned to a different worker. however we want to restrict the access to/enable running those VBoxes to their

assigned worker only!

So our enhancement feature request is to add an option called "Enable Password protect" This password would be stored (encrypted of course) on the VDI and When someone would try to run the VB it would check if there is a password, If there is one it would popup a box asking for it. Unless the password entered correctly the virtual box wont start and wont let the person make any changes to the configuration of the box.

We don't want to encrypt all of the VDI ! :-)

We Only want a simple way to restrict access to/running and changing the configuration of the box by unauthorized worker.

You can call it "Enable Password Protect" or "Admin Password Protect " Or "Configuration/Running Password Protect" or "Vbox Password protect" etc…

Thank you Avi

Change History

comment:1 Changed 4 years ago by michael

Sounds like something you could do using other means. If the workers are logging into the server and using VirtualBox locally, you could set up separate user accounts for them. If they are accessing them via RDP, you could set up authentication. You might still want to describe your setup a bit more though.

comment:2 Changed 4 years ago by avi_m1968

Hi

I'll describe the setup we have, We have a server running analysis software running in foreground under s single user setup. can't run as service nor under a different user. This program generates output into files and to the screen. on this user we have installed 3 VB that run windows xp . each box is used by a different worker. our workers work in shifts , where each one has its OWN VB to work on. each worker develops software for a different company in his OWN VB. using the data from the analysis software both files and screen output. each worker must not know what the other worker is working on and must not be able to watch/ run a different VB then his.

today we have 3 workers doing those shifts and are easy to control.

but we plan to add 50 more workers and different places and this would

be hard to control what they are running even if they make a mistake.

this is why we asked you to implement a simple way to prevent some one from running a VM that is not his.

we have tried many ideas like what you said and others but under the setup we have nothing works. we even tried a safedisk software but it just slowed everything , and we need fast working VB's

i know that adding a feature takes time , but i think that what we ask is simple to add. it should not effect any VDI disks since it there would be no password or the VB version wont look for it , it would still run the VB without a problem. only later versions with this option enabled would look for a password and only if found would pop the question.

we can also take it a step in a different direction and place the password on one of the config files of the VB and not on the VDI itself then if a password is found in the config file, the software would prompt for a password. this would be compatible with all versions.

again no encryption of anything is needed. just a new xml field with password in it to be checked.

please look into it and let me know. thank you Avi.

comment:3 Changed 4 years ago by michael

I'm not really sure that what you are asking for would have any value for us. If I understand correctly, you basically want a configuration that is still readable and writable to anyone working as a given user, but a password (more or less discretionary) for VirtualBox to allow someone access to the VDI and/or configuration, which the user could easily access and modify if they so wanted with some other tool that doesn't ask for a password.

And I still also think that you could find a solution to this with much less effort than we would need to implement such a password check. A couple of other random solutions: if you don't need a VM to be running when a user is not logged in, the user can keep their user home and configuration on a removable drive and plug that into your server when they want to work on it. And if the VMs always need to be running, then have them running headless under a second user account and let each user log into their own using RDP with a different port number allocated to each.

I will leave the ticket open for now, but I don't think this will be implemented in the immediate future in this form.

comment:4 Changed 4 years ago by avi_m1968

Hi

I just wanted to clear a small issue. when I talked about being able to access a VB settings and VDI by another VB version that does not support passwords, I meant that as a backwards compatibility only. of course after one would upgrade his VB version it would update the password field as empty or with password.

as i said we have tried all those ideas of RDP VNC USERS accounts and others but none of them are good for what we do. also we can't connect ay external devices to the computer due to security needs.

we have implemented the password idea on all our internal software and it works great. our programmers added this simple check as the program starts and does not continue until the password is entered. they didn't make any other changes to the software itself.

Since virtual box is not ours ;-) we asked you to add this feature.

We think that such feature would help others too that have a number of VB installed and listed, and would allow a user to run/access only the ones they have a password to.

in the last BIG security show in Vegas I have been to , I saw that many software and network devices are supporting and implementing passwords, encryptions and other protections to their software/firmware/OS as standard. so our simple feature request is the 1st simple step to this . and i think that after it you might even go all the way to secure the VDI by encryption and other means to protect the end user data.

We would be happy if you leave this ticket open so you might add such feature .

Thank you Avi

comment:5 Changed 4 years ago by avi_m1968

Hello

I just wanted to update. we have talked with VMWARE today and they HAVE this feature to protect the VM and allow access to/running it only if you have a password. (their ACE software support it)

they also have the option to encrypt the VM so it can't be read.

since VMWARE provide that feature, of password before running the box our system admin want to buy VMWARE to solve our problem.

I think that they are making a mistake, I think that virualbox is doing a good job now and it would be a shame to replace it.

it there any way you can add this feature we ask for. just a password before you run.

I have also looked on the internet and found other people are looking for such request option.

thank you Avi

comment:6 follow-up: ↓ 7 Changed 4 years ago by klaus

What would be "expected" time scale for this feature? Just curious...

comment:7 in reply to: ↑ 6 Changed 4 years ago by avi_m1968

Replying to klaus:

What would be "expected" time scale for this feature? Just curious...

Hi

I don't understand your question, to which time frame you mean :-( On our side, we plane to start expending our VB in about two months Time, adding about 5-10 every month. If you tell me that it would take you 2-3 month to add this feature to the VB, I guess I could make some noise and delay the deployment to only 3 VB's in the 1st month so we can keep our control on a smaller number of new workers.

If not then our system admins would start to push for VMWARE and this would delay the project it self since we would need to start our testing again, under VMWARE. and then deploy their VM's :-(

So the time frame for this simple feature from our side is about 3 months. This is why I asked for it now and didn't wait until it was to late. Let me know if 3 months from now, your side is ok ? or you would need more time ?

Again we don't need encryption of the disk, only a simple password before the VB would be started :-)

Thank you Avi

comment:8 Changed 4 years ago by avi_m1968

Hello

My system admin's need an answer about our question. are you planning to add this feature to virtualbox within the next 2-3 months? we must know which direction to continue, with VIRTUALBOX which we work with now, or VMWARE VM which we must start testing if you don't plan to add that simple feature. plesae let me know . thank you Avi

comment:9 follow-up: ↓ 10 Changed 3 years ago by artiomjar

I want also to encrypt the vdi contents so it cannot be read by notepad or similar text editor and the password will ask even if you start the another virtual machine with cloned encrypted vdi.

comment:10 in reply to: ↑ 9 Changed 3 years ago by artiomjar

Replying to artiomjar:

I want also to encrypt the vdi contents so it cannot be read by notepad or similar text editor and the password will ask even if you start the another virtual machine with cloned encrypted vdi.

delete this comment followed below.

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use