[opensuse-factory] virtualbox from suse repo + usb support
hi folks, as you might know, since virtualbox 4.0.0 "usb guest support" feature is now open source code, but during tests i found the problem : virtualbox needs full access to usb nodes, which of course, could lead to serious security problem (see bnc#664520 for details) - this means that (currently) virtualbox (provided by suse) doesn't have usb guest support enabled, by default as a workaround I added comment with two udev lines, which creates usb nodes in /dev/vboxusb/ dir with r/w access for vboxusers group (which feeds the virtualbox's needs), so after enabling these two lines (in /etc/udev/rules.d/60-vboxdrv.rules) , your attached usb devices will be available also in virtualized guest system, but please keep in mind this could be real security problem ! JFYI how Oracle's virtualbox rpm deal with this situation (unacceptable due to possible security issue - basically they do the same as we with our two line comment in .rules file): - in post install of specfile : udev rule is added, http://www.virtualbox.org/browser/trunk/src/VBox/Installer/linux/rpm/Virtual... - this udev rule is triggered if usb device is added/removed - and it call VBoxCreateUSBNode.sh script http://www.virtualbox.org/browser/trunk/src/VBox/Installer/linux/VBoxCreateU... - VBoxCreateUSBNode.sh (build /dev/vboxusb dir with usb devices and grand acces to $group) || (destroy /dev/vboxusb device) bye -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Thu, Jan 20, 2011 at 09:21, Michal Šebeň wrote:
hi folks,
as you might know, since virtualbox 4.0.0 "usb guest support" feature is now open source code, but during tests i found the problem : virtualbox needs full access to usb nodes, which of course, could lead to serious security problem (see bnc#664520 for details) - this means that (currently) virtualbox (provided by suse) doesn't have usb guest support enabled, by default
So went to read the bug report. https://bugzilla.novell.com/show_bug.cgi?id=664520 Have I got this right? .... this "security hole" could allow someone who already has full user rights on the OS to access information that he or she essentially already has rights and access to? That seems like a real non-issue to me... like the Linux exploits that gives someone with root access a way to get root access... Under what conditions would this USB access be a risk? C. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
C write:
On Thu, Jan 20, 2011 at 09:21, Michal Šebeň wrote:
hi folks,
as you might know, since virtualbox 4.0.0 "usb guest support" feature is now open source code, but during tests i found the problem : virtualbox needs full access to usb nodes, which of course, could lead to serious security problem (see bnc#664520 for details) - this means that (currently) virtualbox (provided by suse) doesn't have usb guest support enabled, by default
So went to read the bug report. https://bugzilla.novell.com/show_bug.cgi?id=664520
Have I got this right? .... this "security hole" could allow someone who already has full user rights on the OS to access information that he or she essentially already has rights and access to?
That seems like a real non-issue to me... like the Linux exploits that gives someone with root access a way to get root access...
Under what conditions would this USB access be a risk?
C.
If I understand that bug correctly, then problem is that VBox has full right to access usb ports. So if you run virtual machine and someone use any security hole in Virtual box, then he can with permissions of virtual box sniff e.g. USB keyboard, mouse etc. So problem is that someone who doesn't have full user rights (just vboxuser right) can sniff USB devices and also send output there (consider what you can put to USB). Just my 2c. Josef -- Josef Reidinger Appliance Toolkit team maintainer of perl-Bootloader, yast2-bootloader and parts of webyast and SLMS -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Auf 20.01.2011 10:03, Josef Reidinger schrieb:
C write:
On Thu, Jan 20, 2011 at 09:21, Michal Šebeň wrote:
hi folks,
but during tests i found the problem : virtualbox needs full access to usb nodes, which of course, could lead to serious security problem (see bnc#664520 for details) - this means that (currently) virtualbox (provided by suse) doesn't have usb guest support enabled, by default
So went to read the bug report. https://bugzilla.novell.com/show_bug.cgi?id=664520
Under what conditions would this USB access be a risk?
If I understand that bug correctly, then problem is that VBox has full right to access usb ports. So if you run virtual machine and someone use any security hole in Virtual box, then he can with permissions of virtual box sniff e.g. USB keyboard, mouse etc. So problem is that someone who doesn't have full user rights (just vboxuser right) can sniff USB devices and also send output there (consider what you can put to USB).
AFAICS it could be used by the software inside a virtual machine to break out and even get root, e.g. if you booted from a USB disk and that USB disk is accessible directly from inside the virtual machine. Some people use virtualization as a secure sandbox for untrusted code, and they want to make sure that the code inside the VM never can break out (get user rights). Regards, Carl-Daniel -- http://www.hailfinger.org/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (4)
-
C -
Carl-Daniel Hailfinger -
Josef Reidinger -
Michal Šebeň