https://bugzilla.novell.com/show_bug.cgi?id=429725 User suse-tux@gmx.de added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c2 --- Comment #2 from Marcus Hüwe 2008-09-25 06:43:44 MDT --- It seems that your system security setting doesn't allow suid binaries. Is it possible that "PERMISSION_SECURITY" in /etc/sysconfig/security is set to something different than "easy"? Can you show me the output of "ls -la /usr/lib/virtualbox/VirtualBox"? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User vendion@charter.net added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c3 --- Comment #3 from Adam Jimerson 2008-09-25 20:31:42 MDT --- Yes I'm talking about the on in the build service, I did not change any of the PERMISSION_SECURITY options and they are still default, I never see the need to change it on any of my systems. I'm not at the system with 2.0.2, won't be until tomorrow, but on my system with 1.6.2 here is the output (same version on SUSE, different DE this has KDE4 and the machine 2.0.2 is running Gnome) vendion@SE-03:~> ls -la /usr/lib/virtualbox/VirtualBox -rwxr-xr-x 1 root root 3300686 2008-06-22 20:46 /usr/lib/virtualbox/VirtualBox -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User suse-tux@gmx.de added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c5 --- Comment #5 from Marcus Hüwe 2008-09-26 09:34:21 MDT --- The permissions are wrong it should be 4711 (in case you want to execute it as a normal user). But this should be happen automatically if you install the rpm (as long as your system security level is set to "easy"). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User johann-nikolaus.andreae@nacs.de added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c7 Johann-Nikolaus Andreae changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |johann-nikolaus.andreae@nacs.de --- Comment #7 from Johann-Nikolaus Andreae 2008-11-05 08:39:11 MST --- I have the same problem. Install via KDE4-Live-CD Beta3 update from the factory reposotory. The file permission is easy. the ls -la /usr/lib/virtualbox/VirtualBox output is the same. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User suse-tux@gmx.de added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c9 --- Comment #9 from Marcus Hüwe 2008-11-06 03:51:35 MST --- What happens if you execute "SuSEconfig -module permissions" after the installation? This should set the correct permissions for the binaries in /usr/lib(64)/virtualbox -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User suse-tux@gmx.de added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c11 --- Comment #11 from Marcus Hüwe 2008-11-06 04:09:50 MST --- (In reply to comment #10 from Johann-Nikolaus Andreae)

This did not help. No permissions of virtualbox changed.

What's the output of "grep PERMISSION_SECURITY /etc/sysconfig/security"? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User suse-beta@cboltz.de added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c13 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de --- Comment #13 from Christian Boltz 2008-11-06 15:30:36 MST --- CC'ing the security team. Short summary: VirtualBox requires to be suid-root to do some hardening (at least the configure switch says so, see also comment #6). Is this OK or would you prefer the --disable-hardening switch? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c15 --- Comment #15 from Vincent Untz 2008-11-07 05:55:13 MST --- I guess this means VirtualBox should be compiled with --disable-hardening? Else, we just have a non-working VirtualBox by default... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c17 --- Comment #17 from Ludwig Nussel 2008-11-17 08:35:01 MST --- The solution at this point in time is documentation about how to adjust permissions. The security team was not informed about those new requirements in time and we can't audit virtualbox over night. Therefore please turn on all hardening measurements offered by upstream and ship the package without additional permissions. An audit will have to confirm that shipping VirtualBox with setuid permissions indeed doesn't impose an unbearable risk. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c19 --- Comment #19 from Ludwig Nussel 2008-11-18 01:30:09 MST --- (In reply to comment #18 from Christian Boltz)

BTW: What will happen if you find out that VirtualBox has a security bug in the to-be-suid-root files? Will you release an update for 11.1 or will you say "hey, we didn't ship it suid-root, so what?"

Depends on the bug. If the system is broken by design it could very well happen that a privilege escalation bug is not fixable. We need the audit to also estimate that risk. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User vendion@charter.net added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c21 --- Comment #21 from Adam Jimerson 2008-11-18 17:42:22 MST --- Well in the setup I was deploying VirtualBox in running it or the system as root is out of the question, having a public system running as root == bad. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User suse-tux@gmx.de added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c23 --- Comment #23 from Marcus Hüwe 2008-11-20 07:44:08 MST --- Just a question are we talking now about the official factory packages or the ones in the Virtualization:VirtualBox repo? Which rpms aren't working? (In reply to comment #17 from Ludwig Nussel)

Therefore please turn on all hardening measurements offered by upstream and ship > the package without additional permissions.

Hmm and what about shipping an older (< 2.0.0) working version of virtualbox which doesn't need the hardening? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User mkudlvasr@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c25 Martin Kudlvasr changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mkudlvasr@novell.com Status|NEW |NEEDINFO Info Provider| |security-team@suse.de --- Comment #25 from Martin Kudlvasr 2008-11-20 09:07:32 MST --- As far as I have read the code, virtualbox uses the suid root ONLY to open /dev/vboxdrv. Right after that, setresuid is used to set privileges of the process to uid (and gid) of the user. The process is very well commented (surprisingly well) in the source files. The source file location: VirtualBox-2.0.4/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp Please consider these arguments when making the decision: - Users had access to the kernel module until now through group vboxusers. In the suid version, they still have access to it, but only through virtualbox binary. The suid version is actually reducing access to the kernel module. - Running virtualbox as root is much less secure that either of the suid or vboxusers versions. So far I see 3 options Choice 1 (lnussels, if I understood correctly): - do not add virtualbox permissions to permissions package - document, that virtualbox can be run only as root. - mention the documentation in the error message, so that users won't be completely puzzled. Choice 2: - do not add virtualbox permissions to permissions package - document, how users can add permissions to /etc/permissions and set virtualbox suid by hand (and SUSE/security will deny responsibility for the risk) - mention the documentation in the error message, so that users won't be completely puzzled. Choice 3: - add virtualbox permissions to permissions package. - imho most secure. My order of preference: Choice 3, Choice 2, Choice 1 I ask the security team for the final decision, whatever will that be. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c27 Ludwig Nussel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|security-team@suse.de | --- Comment #27 from Ludwig Nussel 2008-11-20 09:32:18 MST --- (In reply to comment #23 from Marcus Hüwe)

Hmm and what about shipping an older (< 2.0.0) working version of virtualbox which doesn't need the hardening?

IIRC an audit was aborted because previous versions already had grave security problems with the kernel interface. So shipping an old version doesn't improve anything. (In reply to comment #25 from Martin Kudlvasr)

As far as I have read the code, virtualbox uses the suid root ONLY to open /dev/vboxdrv. Right after that, setresuid is used to set privileges of the process to uid (and gid) of the user. The process is very well commented (surprisingly well) in the source files.

Good to hear. An Audit will hopefully confirm that it's indeed safe.

Please consider these arguments when making the decision: - Users had access to the kernel module until now through group vboxusers In the suid version, they still have access to it, but only through virtualbox binary. The suid version is actually reducing access to the kernel module.

You mean you are going to drop the vboxusers group? I'd keep that even with the setuid programs.

- Running virtualbox as root is much less secure that either of the suid or vboxusers versions.

That's a misconception. A kernel interface that allows you to change arbitrary things in kernel space as user is is almost equivalent to root access with the exception that you don't know it (which makes it even worse). So in this situation it is only honest to require authentication as root.

So far I see 3 options

Choice 1 (lnussels, if I understood correctly): - do not add virtualbox permissions to permissions package - document, that virtualbox can be run only as root. - mention the documentation in the error message, so that users won't be completely puzzled.

Choice 2: - do not add virtualbox permissions to permissions package - document, how users can add permissions to /etc/permissions and set virtualbox suid by hand (and SUSE/security will deny responsibility for the risk) - mention the documentation in the error message, so that users won't be completely puzzled.

Choice 3: - add virtualbox permissions to permissions package. - imho most secure.

My order of preference: Choice 3, Choice 2, Choice 1

I ask the security team for the final decision, whatever will that be.

I'll bring this issue up again in our team meeting on Monday to increase the priority of the audit. Until the Audit is done my suggestion is 1+2 as you always have the choice to add your binaries to permissions.local or to run virtualbox via su/sudo. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User mkudlvasr@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c29 --- Comment #29 from Martin Kudlvasr 2008-11-20 09:53:39 MST ---

You mean you are going to drop the vboxusers group? I'd keep that even with the setuid programs. I'd keep that too. With permissions of VirtualBox set to rwsr-sr-- (root.vboxusers)

I meant, that in previous versions, vboxusers could access /dev/vboxdrv (kernel interface) directly, with their custom (haxor) tools. In the current suid version, users can access /dev/vboxdrv only through VirtualBox binary (/dev/vboxdrv can have 0600 permissions). We can harden it even more by allowing only vboxusers to execute VirtualBox binary.

I'll bring this issue up again in our team meeting on Monday to increase the priority of the audit.

Thanks

Doesn't work. The admin is supposed to only touch permissions.local. The other files are overwritten on update.

Ok, so he won't uncomment them, but will copy them to permissions.local. The goal is to have the lines ready for the admin somewhere. One more option: Choice 5: - add virtualbox suid permissions to permissions.iknowwhatido (or similar name). This way the user will be well informed, that there is a potential security risk. - document the risk connected to adding "iknowwhatido" to PERMISSION_SECURITY - mention the documentation in the error message, so that users won't be completely puzzled. - adding a single permission category just to solve this one case is not very systematic. My current order of preference: Choice 3, Choice 5, Choice 4, Choice 2, Choice 1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User jan-olof.eriksson@opensuse.fi added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c31 --- Comment #31 from Jan-Olof Eriksson 2008-11-24 00:03:08 MST --- I have this issue with 11.1 beta5 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c33 --- Comment #33 from Ludwig Nussel 2008-11-24 08:46:34 MST --- VirtualBox never worked out of the box. One always had to at least add users to the vboxusers group. After discussion in the team we still don't like adding setuid bits to stuff that did not receive an audit. However given that VirtualBox was considered unsafe before already (/dev/vboxdrv didn't pass an audit) the situation probably cannot get worse as long as we use the vboxusers group. Therefore we would get over the following setup: - /dev/vboxdrv root:root 0600 - the vbox binaries root:vboxusers 4750 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User coolo@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c35 Stephan Kulow changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|suse-tux@gmx.de |lnussel@novell.com --- Comment #35 from Stephan Kulow 2008-11-25 06:26:49 MST --- as discussed with Ludwig, the README is already part of the package, so the adoption of permissions.easy should be the only change left to fix ala #33 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User felix@derklecks.de added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c37 Felix Möller changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |highwaystar.ru@gmail.com --- Comment #37 from Felix Möller 2008-11-25 13:20:45 MST --- *** Bug 445405 has been marked as a duplicate of this bug. *** https://bugzilla.novell.com/show_bug.cgi?id=445405 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User felix@derklecks.de added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c39 Felix Möller changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonas.nyren@gmail.com --- Comment #39 from Felix Möller 2008-11-25 13:25:32 MST --- *** Bug 442810 has been marked as a duplicate of this bug. *** https://bugzilla.novell.com/show_bug.cgi?id=442810 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=429725 User coolo@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=429725#c41 Stephan Kulow changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #41 from Stephan Kulow 2008-12-01 08:53:46 MST --- if you'd check factory you'll see that /lib is fine -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.