[Bug 429725] New: VirtualBox OSE 2.0. 2 will not load as user but will load for root.
https://bugzilla.novell.com/show_bug.cgi?id=429725 Summary: VirtualBox OSE 2.0.2 will not load as user but will load for root. Product: openSUSE 11.0 Version: Final Platform: i686 OS/Version: openSUSE 11.0 Status: NEW Severity: Critical Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: vendion@charter.net QAContact: qa@suse.de Found By: --- I was put in charge of installing a virtual machine system on a public access system. I picked VirtualBox OSE because I know VirtualBox very well, and most the people there knows how to use VirtualBox, and the open source edition because it is in the repo, but after correctly configuring in after install only root can launch VirtualBox OSE everyone else gets this error VirtualBox: SUPR3HardenedMain: effective uid is not root (euid=100 egid=100 uid=1000 gid=100) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=429725
User stbinner@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c1
Stephan Binner
https://bugzilla.novell.com/show_bug.cgi?id=429725
User suse-tux@gmx.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c2
--- Comment #2 from Marcus Hüwe
https://bugzilla.novell.com/show_bug.cgi?id=429725
Marcus Hüwe
https://bugzilla.novell.com/show_bug.cgi?id=429725
User vendion@charter.net added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c3
--- Comment #3 from Adam Jimerson
https://bugzilla.novell.com/show_bug.cgi?id=429725
User vendion@charter.net added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c4
Adam Jimerson
https://bugzilla.novell.com/show_bug.cgi?id=429725
User suse-tux@gmx.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c5
--- Comment #5 from Marcus Hüwe
https://bugzilla.novell.com/show_bug.cgi?id=429725
User suse-beta@cboltz.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c6
Christian Boltz
The permissions are wrong it should be 4711 (in case you want to execute it as a normal user). But this should be happen automatically if you install the rpm (as long as your system security level is set to "easy").
According to http://forums.virtualbox.org/viewtopic.php?t=9804&sid=2321407d329894a8a9dec5b8adf8c9cf there is a configure switch --disable-hardening which would avoid the need for the suid bit on several files. I'm somewhat undecided if giving an application root permissions (via suid bit) really helps to improve security :-/ - even if the configure switch implies something else... Did you ask the security team about setting the suid bits? If so, what is their opinion? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=429725
User johann-nikolaus.andreae@nacs.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c7
Johann-Nikolaus Andreae
https://bugzilla.novell.com/show_bug.cgi?id=429725
User jreidinger@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c8
Josef Reidinger
https://bugzilla.novell.com/show_bug.cgi?id=429725
User suse-tux@gmx.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c9
--- Comment #9 from Marcus Hüwe
https://bugzilla.novell.com/show_bug.cgi?id=429725
User johann-nikolaus.andreae@nacs.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c10
--- Comment #10 from Johann-Nikolaus Andreae
https://bugzilla.novell.com/show_bug.cgi?id=429725
User suse-tux@gmx.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c11
--- Comment #11 from Marcus Hüwe
This did not help. No permissions of virtualbox changed.
What's the output of "grep PERMISSION_SECURITY /etc/sysconfig/security"? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=429725
User johann-nikolaus.andreae@nacs.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c12
--- Comment #12 from Johann-Nikolaus Andreae
https://bugzilla.novell.com/show_bug.cgi?id=429725
User suse-beta@cboltz.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c13
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=429725
User thomas@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c14
--- Comment #14 from Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=429725
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c15
--- Comment #15 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=429725
User felix@derklecks.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c16
Felix Möller
https://bugzilla.novell.com/show_bug.cgi?id=429725
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c17
--- Comment #17 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=429725
User suse-beta@cboltz.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c18
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=429725
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c19
--- Comment #19 from Ludwig Nussel
BTW: What will happen if you find out that VirtualBox has a security bug in the to-be-suid-root files? Will you release an update for 11.1 or will you say "hey, we didn't ship it suid-root, so what?"
Depends on the bug. If the system is broken by design it could very well happen that a privilege escalation bug is not fixable. We need the audit to also estimate that risk. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=429725
User suse-beta@cboltz.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c20
--- Comment #20 from Christian Boltz
(In reply to comment #18 from Christian Boltz)
BTW: What will happen if you find out that VirtualBox has a security bug in > > the to-be-suid-root files? Will you release an update for 11.1 or will you say "hey, we didn't ship it suid-root, so what?"
Depends on the bug. If the system is broken by design it could very well happen that a privilege escalation bug is not fixable.
Sounds like another argument to disable the hardening for now, which means the suid bit isn't required... I'd recommend to use --disable-hardening for 11.1 for two reasons: - it will save users lots of problems (because VirtualBox with hardening will fail to run by default) - it is more secure than a potential privilege escalation ;-) - and you can be sure that everybody who needs VirtualBox will set the suid bit. No, wait - some people might just start it as root... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=429725
User vendion@charter.net added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c21
--- Comment #21 from Adam Jimerson
https://bugzilla.novell.com/show_bug.cgi?id=429725
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c22
--- Comment #22 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=429725
User suse-tux@gmx.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c23
--- Comment #23 from Marcus Hüwe
Therefore please turn on all hardening measurements offered by upstream and ship > the package without additional permissions.
Hmm and what about shipping an older (< 2.0.0) working version of virtualbox which doesn't need the hardening? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=429725
User felix@derklecks.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c24
--- Comment #24 from Felix Möller
https://bugzilla.novell.com/show_bug.cgi?id=429725
User mkudlvasr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c25
Martin Kudlvasr
https://bugzilla.novell.com/show_bug.cgi?id=429725
User mkudlvasr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c26
--- Comment #26 from Martin Kudlvasr
https://bugzilla.novell.com/show_bug.cgi?id=429725
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c27
Ludwig Nussel
Hmm and what about shipping an older (< 2.0.0) working version of virtualbox which doesn't need the hardening?
IIRC an audit was aborted because previous versions already had grave security problems with the kernel interface. So shipping an old version doesn't improve anything. (In reply to comment #25 from Martin Kudlvasr)
As far as I have read the code, virtualbox uses the suid root ONLY to open /dev/vboxdrv. Right after that, setresuid is used to set privileges of the process to uid (and gid) of the user. The process is very well commented (surprisingly well) in the source files.
Good to hear. An Audit will hopefully confirm that it's indeed safe.
Please consider these arguments when making the decision: - Users had access to the kernel module until now through group vboxusers In the suid version, they still have access to it, but only through virtualbox binary. The suid version is actually reducing access to the kernel module.
You mean you are going to drop the vboxusers group? I'd keep that even with the setuid programs.
- Running virtualbox as root is much less secure that either of the suid or vboxusers versions.
That's a misconception. A kernel interface that allows you to change arbitrary things in kernel space as user is is almost equivalent to root access with the exception that you don't know it (which makes it even worse). So in this situation it is only honest to require authentication as root.
So far I see 3 options
Choice 1 (lnussels, if I understood correctly): - do not add virtualbox permissions to permissions package - document, that virtualbox can be run only as root. - mention the documentation in the error message, so that users won't be completely puzzled.
Choice 2: - do not add virtualbox permissions to permissions package - document, how users can add permissions to /etc/permissions and set virtualbox suid by hand (and SUSE/security will deny responsibility for the risk) - mention the documentation in the error message, so that users won't be completely puzzled.
Choice 3: - add virtualbox permissions to permissions package. - imho most secure.
My order of preference: Choice 3, Choice 2, Choice 1
I ask the security team for the final decision, whatever will that be.
I'll bring this issue up again in our team meeting on Monday to increase the priority of the audit. Until the Audit is done my suggestion is 1+2 as you always have the choice to add your binaries to permissions.local or to run virtualbox via su/sudo. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=429725
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c28
--- Comment #28 from Ludwig Nussel
Choice 4: - add virtualbox permissions to permissions package, but comment them out.
Doesn't work. The admin is supposed to only touch permissions.local. The other files are overwritten on update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=429725
User mkudlvasr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c29
--- Comment #29 from Martin Kudlvasr
You mean you are going to drop the vboxusers group? I'd keep that even with the setuid programs. I'd keep that too. With permissions of VirtualBox set to rwsr-sr-- (root.vboxusers)
I meant, that in previous versions, vboxusers could access /dev/vboxdrv (kernel interface) directly, with their custom (haxor) tools. In the current suid version, users can access /dev/vboxdrv only through VirtualBox binary (/dev/vboxdrv can have 0600 permissions). We can harden it even more by allowing only vboxusers to execute VirtualBox binary.
I'll bring this issue up again in our team meeting on Monday to increase the priority of the audit.
Thanks
Doesn't work. The admin is supposed to only touch permissions.local. The other files are overwritten on update.
Ok, so he won't uncomment them, but will copy them to permissions.local. The goal is to have the lines ready for the admin somewhere. One more option: Choice 5: - add virtualbox suid permissions to permissions.iknowwhatido (or similar name). This way the user will be well informed, that there is a potential security risk. - document the risk connected to adding "iknowwhatido" to PERMISSION_SECURITY - mention the documentation in the error message, so that users won't be completely puzzled. - adding a single permission category just to solve this one case is not very systematic. My current order of preference: Choice 3, Choice 5, Choice 4, Choice 2, Choice 1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=429725
User jan-olof.eriksson@opensuse.fi added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c30
Jan-Olof Eriksson
https://bugzilla.novell.com/show_bug.cgi?id=429725
User jan-olof.eriksson@opensuse.fi added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c31
--- Comment #31 from Jan-Olof Eriksson
https://bugzilla.novell.com/show_bug.cgi?id=429725
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c32
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=429725
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c33
--- Comment #33 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=429725
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c34
--- Comment #34 from Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=429725
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c35
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=429725
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c36
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=429725
User felix@derklecks.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c37
Felix Möller
https://bugzilla.novell.com/show_bug.cgi?id=429725
User felix@derklecks.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c38
Felix Möller
https://bugzilla.novell.com/show_bug.cgi?id=429725
User felix@derklecks.de added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c39
Felix Möller
https://bugzilla.novell.com/show_bug.cgi?id=429725
User wstephenson@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c40
Will Stephenson
https://bugzilla.novell.com/show_bug.cgi?id=429725
User coolo@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c41
Stephan Kulow
https://bugzilla.novell.com/show_bug.cgi?id=429725
User mkudlvasr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c42
Martin Kudlvasr
participants (1)
-
bugzilla_noreply@novell.com