VirtualBox

Ticket #7198 (closed defect: invalid)

Opened 4 years ago

Last modified 3 years ago

sharing guest impossible because xml settings files written in mode 600 instead of 660

Reported by: jastern Owned by:
Priority: major Component: other
Version: VirtualBox 3.2.6 Keywords:
Cc: Guest type: Windows
Host type: Linux

Description

(this is with linux/ubuntu host and windowsxp guest, with vbox 3.2.6 -- not the OSE, but the linux host downloaded from  http://www.virtualbox.org/wiki/Linux_Downloads for ubuntu 10.04 AMD64.)

i noticed that Virtualbox writes its .xml config files in the ~/.VirtualBox and ~/.VirtualBox/Machines/MACHINE_NAME directories in mode 600, which makes it impossible to share a virtualbox guest between users on the same system. they should be written in mode '660'.

furthermore, if i as root correct the permissions to be 660 on the 2 relevant .xml files contained in these directories, then the next time VirtualBox is run for this guest, these 2 .xml files will unfortunately have their permissions re-set to 600. :o(

this shared setup worked successfully for me using the 3.1.6 OSE version from ubuntu -- i did not have this problem with the OSE. now that i've upgraded (in an attempt to get access to my USB devices), i can't share the guest between the 2 users.

my use case:

if i have two users on my home box: usera and userb. both users belong to group 'users'. i have /home/usera/.VirtualBox and /home/userb/.VirtualBox both sym-linked to /home/virtualbox/.VirtualBox, and /home/virtualbox/.VirtualBox is group-owned by 'users' and has the setgid bit set so it is in mode 2775. thus, every file and sub-directory created under it should belong to group 'users' (and this is true). my vbox name is 'WindowsXP'.

the problem is that if usera uses the system, then, in the /home/virtualbox/.VirtualBox directory, the VirtualBox.xml file will have its permissions set to 600 when they should be 660:

-rw------- 1 usera  users     2261 2010-07-18 11:58 VirtualBox.xml

now only usera can use the system.

now if usera shuts down the guest and logs off and userb signs in and tries to access the guest, userb will get a dialogbox popping up saying:

VirtualBox - Critical Error
-------------------------------
Failed to create the VirtualBox COM object.
The application will now terminate.
Runtime error opening '/home/userb/.VirtualBox/VirtualBox.xml' for reading: -38 (Access denied.).
/home/vbox/vbox-3.2.6/src/VBox/Main/VirtualBoxImpl.cpp[535] (nsresult VirtualBox::init()).

and in the Details of that dialog box, it says:

Result Code: NS_ERROR_FAILURE (0x80004005)
Component: VirtualBox
Interface: IVirtualBox {3f36e024-7fed-4f20-a02c-9158a82b44e6}

(note that /home/userb/.VirtualBox/VirtualBox.xml is really /home/virtualbox/.VirtualBox/VirtualBox.xml)

now if i try to reset the file permissions on the /home/virtualbox/.VirtualBox/VirtualBox.xml file:

$ chmod 660 /home/virtualbox/.VirtualBox/VirtualBox.xml

it makes that error go away, but now userb will get another, similar message, about the /home/userb/.VirtualBox/Machines/WindowsXP/WindowsXP.xml file (which of course is really /home/virtualbox/.VirtualBox/Machines/WindowsXP/WindowsXP.xml).

so i reset that 2nd XML file to mode 660 as well:

$ chmod 660 /home/virtualbox/.VirtualBox/Machines/WindowsXP/WindowsXP.xml

so that that file (which also belongs to 'users' group already) is accessible, now userb can fire up the WindowsXP guest. (assuming of course, that usera has shut down the guest from their side first).

however, now the reverse is true: after userb has used the guest, VirtualBox has rewritten those files and reset their mode to 600 so that they are not accessible by the group, only owner. so now usera cannot use the system. these files should be preserved in mode 660.

please let me know if there is a simple config to override this, or if i'm missing something super-obvious (most usually am :-) ) or if you need any more information, and thanks.

Change History

comment:1 Changed 4 years ago by jastern

actually, i just figured out a workaround for now:

i add a custom application launcher to each user's gnome panel, which points to a bash script i made, /home/virtualbox/runvbox.sh

the script looks like this:

#!/bin/bash
gksudo chmod 660 /home/virtualbox/.VirtualBox/VirtualBox.xml /home/virtualbox/.VirtualBox/Machines/WindowsXP/WindowsXP.xml
VBoxManage startvm "WindowsXP" >& /dev/null &

comment:2 Changed 4 years ago by frank

  • Status changed from new to closed
  • Resolution set to wontfix

Actually I don't see the point in sharing .xml files between different users. You can share the hard disk but the .xml files are owned by exactly one user.

comment:3 Changed 4 years ago by jastern

well, i guess the point is ease and accuracy of administration. settings only have to be managed once, instead of in duplicate/parallel.

however, if what you say is true -- that it is possible to share the hard disk using parallel/duplicate settings -- then i suppose my heading is not completely accurate. it's not impossible to share a guest -- only inconvenient from an administration standpoint.

comment:4 Changed 4 years ago by raffaellod

  • Status changed from closed to reopened
  • Resolution wontfix deleted

I’m sorry, I really can’t see why I should not be allowed to have another user account share my virtual machines. I have VBOX_USER_HOME=/home/shared/vms in the host’s environment, so that every user who belongs to vboxusers can use any of the guest machines.

Theoretically.

In practice, since one or two versions ago (at least 3.2.6), this is no longer possible, since the permissions get completely disregarded and overwritten by VirtualBox.

I’m also quite sure that any EAs or ACLs or SELinux context for the files is lost, and I really don’t see a reason for this. In my use case, the previous behavior to just replace the contents of the .xml file was correct, not the current one.

comment:5 Changed 3 years ago by frank

  • Status changed from reopened to closed
  • Resolution set to invalid

We don't support sharing .xml files between users and we will not implement that, period. The .xml settings are per user, and every else would be a security issue on many systems.

comment:6 Changed 3 years ago by lkraav

i'm leaving this a closed, but just for the record, here's another guy looking for this sharing ability.

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use