[Bug 664520] New: virtualbox need access to usb devices
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c0 Summary: virtualbox need access to usb devices Classification: openSUSE Product: openSUSE 11.4 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: mseben@gmail.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.6) Gecko/20100626 SUSE/3.6.6-1.2 Firefox/3.6.6 Hi, virtualbox 4.0.0 introduced usb support inside guests for oss version, this also means that vbox now needs rw access to usb devices, from the code http://www.virtualbox.org/browser/trunk/src/VBox/Main/src-server/linux/USBGe... I see that vbox search in "/dev/vboxusb" and "/dev/bus/usb" directories for usb nodes, I don't want to touch /dev/bus/usb directly which has r/w permissions only for root so I created following udev rule which create usb nodes in /dev/vboxusb/ with rw permissions for "vboxusers" group (vboxusers is needed to run virtualbox): SUBSYSTEM=="usb_device", ATTR{devnum}=="?*", ATTR{busnum}=="?*",NAME="vboxusb/$attr{busnum}/$attr{devnum}", GROUP="vboxusers" SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ATTR{devnum}=="?*", ATTR{busnum}=="?*",NAME="vboxusb/$attr{busnum}/$attr{devnum}", GROUP="vboxusers" I am not sure if this is ok, from security point of view also I am no sure how strict are openSUSE rules in this case ... thanks Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c1 --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2011-01-14 16:04:01 CET --- I dont think that's a good idea. Raw usb access might allow any user that is allowed to run virtualbox to e.g. sniff usb keyboard input or access storage devices bypassing the block layer. That would be an undesired side effect I guess. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c2 Michal Seben <mseben@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #2 from Michal Seben <mseben@gmail.com> 2011-01-14 21:16:30 UTC --- hm ... and what about putting seteuid() function before the line where usb node is opened for rw access ? virtualbox's binary file has already setuid bit for access to /dev/vboxdrv device: grep VirtualBox /etc/permissions.easy /usr/lib/virtualbox/VirtualBox root:vboxusers 4750 is this acceptable ? thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c3 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@novell.com --- Comment #3 from Marcus Meissner <meissner@novell.com> 2011-01-15 09:54:10 UTC --- then virtualbox can still open all devices ... there needs to be some kind of access control by the host system. only the devices the user has access too e.g. like we do for userland access to MTP players, Cameras and the like already. what devices is this usually targetting? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c4 --- Comment #4 from Michal Seben <mseben@gmail.com> 2011-01-15 21:38:38 UTC --- (In reply to comment #3)
from your responses I feel that we don't want to assign to virtualbox full usb access (am I right?) thank you guys for quick response bye -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c5 Sven Burmeister <sven.burmeister@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sven.burmeister@gmx.net --- Comment #5 from Sven Burmeister <sven.burmeister@gmx.net> 2011-01-20 17:02:54 UTC --- As long as there is a well documented way to easily enable this for users who own their box, i.e. could only sniff their own data, it can be switched off by default IMHO. And those that are afraid of whatever within the vbox might be sniffing their usb devices can restrict vbox to not allow access to usb devices per virtual machine. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c6 Jan Ritzerfeld <suse@bugs.jan.ritzerfeld.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse@bugs.jan.ritzerfeld.or | |g --- Comment #6 from Jan Ritzerfeld <suse@bugs.jan.ritzerfeld.org> 2011-04-13 17:37:38 UTC --- Well, at the moment, it is not well documented since I had to search one hour long to find the solution. Furthermore, changing the provided udev rules by removing the '#'s yields to 1. kernel messages while booting and later on for each USB device "kernel-provided name 'bus/usb/002/006' and NAME= 'vboxusb/2/6' disagree, please use SYMLINK+= or change the kernel to provide the proper name" 2. at least an unaccessible scanner because udev rule 55-libsane.rules does not work anymore -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c7 --- Comment #7 from Jan Ritzerfeld <suse@bugs.jan.ritzerfeld.org> 2011-04-16 17:34:10 UTC --- Continued from Comment 6: 3. non-working USB ports anyhow, the Windows guest tells me "The Device Cannot Start (Code 10)" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c8 Stefan Brüns <stefan.bruens@rwth-aachen.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |stefan.bruens@rwth-aachen.d | |e --- Comment #8 from Stefan Brüns <stefan.bruens@rwth-aachen.de> 2011-06-22 13:34:56 UTC --- (In reply to comment #7)
Same here. According to the VB wiki, it should be enough to install teh VB extension pack to get access to EHCI (USB 2.0) devices. When I install VB from http://download.virtualbox.org/virtualbox/4.0.8/, USB works. One obvious difference: The USB settings from vb.org shows a checkbox to enable EHCI, whereas the one from opensuse.org does not. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c9 Marton Balint <cus@fazekas.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cus@fazekas.hu --- Comment #9 from Marton Balint <cus@fazekas.hu> 2012-09-15 15:57:46 UTC --- If you don't want to enable this rule by default due to security reasons, that is fine. But please, add some pointer to the VirtualBox application itself which reports that you have to check the commented out UDEV rules. It should work the same way you warn to user about the vboxusers group! This could have saved me an hour of searching and trying... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c10 Hans-Peter Jansen <hpj@urpla.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hpj@urpla.net --- Comment #10 from Hans-Peter Jansen <hpj@urpla.net> 2013-01-22 00:01:56 UTC --- Related to this issue, I've created https://bugzilla.novell.com/show_bug.cgi?id=799741, since it is biting me now, and I hope some kind souls here will take a look. Ludwig, Marcus, please? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=664520 Victor Pereira <vpereira@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED CC| |vpereira@novell.com Resolution|--- |WONTFIX --- Comment #11 from Victor Pereira <vpereira@novell.com> --- there is actually nothing to fix -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=664520 Marton Balint <cus@passwd.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX |--- --- Comment #12 from Marton Balint <cus@passwd.hu> --- IMHO a warning message box should be added, similar to the one which is shown if the user is not part of the vboxusers group, because the solution is not trivial. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c1 --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2011-01-14 16:04:01 CET --- I dont think that's a good idea. Raw usb access might allow any user that is allowed to run virtualbox to e.g. sniff usb keyboard input or access storage devices bypassing the block layer. That would be an undesired side effect I guess. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c2 Michal Seben <mseben@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #2 from Michal Seben <mseben@gmail.com> 2011-01-14 21:16:30 UTC --- hm ... and what about putting seteuid() function before the line where usb node is opened for rw access ? virtualbox's binary file has already setuid bit for access to /dev/vboxdrv device: grep VirtualBox /etc/permissions.easy /usr/lib/virtualbox/VirtualBox root:vboxusers 4750 is this acceptable ? thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c3 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@novell.com --- Comment #3 from Marcus Meissner <meissner@novell.com> 2011-01-15 09:54:10 UTC --- then virtualbox can still open all devices ... there needs to be some kind of access control by the host system. only the devices the user has access too e.g. like we do for userland access to MTP players, Cameras and the like already. what devices is this usually targetting? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c4 --- Comment #4 from Michal Seben <mseben@gmail.com> 2011-01-15 21:38:38 UTC --- (In reply to comment #3)
from your responses I feel that we don't want to assign to virtualbox full usb access (am I right?) thank you guys for quick response bye -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c5 Sven Burmeister <sven.burmeister@gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sven.burmeister@gmx.net --- Comment #5 from Sven Burmeister <sven.burmeister@gmx.net> 2011-01-20 17:02:54 UTC --- As long as there is a well documented way to easily enable this for users who own their box, i.e. could only sniff their own data, it can be switched off by default IMHO. And those that are afraid of whatever within the vbox might be sniffing their usb devices can restrict vbox to not allow access to usb devices per virtual machine. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=664520 https://bugzilla.novell.com/show_bug.cgi?id=664520#c6 Jan Ritzerfeld <suse@bugs.jan.ritzerfeld.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse@bugs.jan.ritzerfeld.or | |g --- Comment #6 from Jan Ritzerfeld <suse@bugs.jan.ritzerfeld.org> 2011-04-13 17:37:38 UTC --- Well, at the moment, it is not well documented since I had to search one hour long to find the solution. Furthermore, changing the provided udev rules by removing the '#'s yields to 1. kernel messages while booting and later on for each USB device "kernel-provided name 'bus/usb/002/006' and NAME= 'vboxusb/2/6' disagree, please use SYMLINK+= or change the kernel to provide the proper name" 2. at least an unaccessible scanner because udev rule 55-libsane.rules does not work anymore -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com