VirtualBox

Ticket #7759 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

virtualbox grabs all usb devices via udev -> fixed as of 2010.11.29

Reported by: jba Owned by:
Priority: minor Component: USB
Version: VirtualBox 3.2.10 Keywords: udev, permissons
Cc: Guest type: Windows
Host type: Linux

Description

I used virtualbox 2.2 before and now 3.2 (on debian lenny). Both have the same problem: the udev script 10-vboxdrv.rules grabs usb devices and puts them to the grup vboxusres:

KERNEL=="vboxdrv", NAME="vboxdrv", OWNER="root", GROUP="root", MODE="0600" SUBSYSTEM=="usb_device", GROUP="vboxusers", MODE="0664" SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", GROUP="vboxusers", MODE="0664"

While the first line seems reasonable to me, the second and third do not. As I understand them, they grab all usb-devices and make them accessible by the group vboxusres. This may not be desireable.

On the other hand, usb devices that are used by other software and have their own udev script, might not get the device. I own an chipcard reader which is managed by a daemon, which has its own group. However, with virtualbox, the device is asigned to the group vboxusers and the chipcard daemon can no longer access it (as it is not in the vboxusers group). So, virtualbox makes the chipcard reader unusable unless the faulty udev script is changed.

I dont understand the necassity of 10-vboxdrv.rules. Linux has means to allow and protect access of devices for all users. If the system doesnt allow a user acces to a special device, why should he be allowed to use it, when he uses virtualbox?

Juergen

Change History

comment:1 Changed 3 years ago by klaus

You're misunderstanding the meaning of the vboxusers group. It is a group which provides extra permissions which are useful to have in the VirtualBox context. In particular if one wants to pass USB devices to a VM this requires access to the raw USB device. It's simply not practical to require per-device rules, as it is completely unpredicable what the user connects next and wants to use from a VM.

The user doesn't have to be in group vboxusers to run VirtualBox, at least not in the packages provided on virtualbox.org.

comment:2 Changed 3 years ago by klaus

  • Cc Juergen.Bausa@… removed

comment:3 Changed 3 years ago by jba

You're misunderstanding the meaning of the vboxusers group. ... The user doesn't have to be in group vboxusers to run VirtualBox,

Ok, this may be my misinterpretation.

However, the second point is still valid: virtualbox gabs devices. that would have been owned by other groups if there were no virtualbox. This changes the permission of the devices and they may become unusable.

Juergen

comment:4 Changed 3 years ago by klaus

There's work in progress to resolve this permission change... will probably land with 4.0.0.

comment:5 Changed 3 years ago by michael

  • Summary changed from virtualbox grabs all usb devices via udev to virtualbox grabs all usb devices via udev -> fixed as of 2010.11.29

The change has been in our development repository since yesterday. The udev rules have been changed to create a second tree of USB devices (/dev/vboxusb/xxx/yyy) accessible to the group vboxusers, and the /dev/bus/usb/xxx/yyy devices are no longer touched. Members of the group vboxusers will still be able to access all non-hub USB devices on the system. Allowing this access is currently the only purpose of the group, so a user can be denied access without otherwise affecting VirtualBox by simply not making them a member of the group. In this case of course they will not be able to access USB devices in VMs (short of e.g. setting up custom permissions for specific devices).

comment:6 Changed 3 years ago by michael

Note that this fix will not be backported to the 3.2 series.

comment:7 Changed 3 years ago by frank

  • Status changed from new to closed
  • Resolution set to fixed

Should be fixed in 4.0.

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use