[opensuse-factory] How to get SUID on a VirtualBox program
Hi, I need to get the permissions changed on program VBoxNATNetwork so that the host and other guests can connect to a given VM. In the past, this code had SUID privilege, but it was mistakenly removed. It should be restored. According to Oracle, I could remove hardening to eliminate the need for SUID, but that would open lots of security holes. How should I go about requesting this change? Would filing a bug report and assigning it to Security be sufficient? Thanks, Larry -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On lundi, 10 avril 2017 21.03:06 h CEST Larry Finger wrote:
Hi,
I need to get the permissions changed on program VBoxNATNetwork so that the host and other guests can connect to a given VM. In the past, this code had SUID privilege, but it was mistakenly removed. It should be restored. According to Oracle, I could remove hardening to eliminate the need for SUID, but that would open lots of security holes.
How should I go about requesting this change? Would filing a bug report and assigning it to Security be sufficient?
Thanks,
Larry Don't know if it would be pertinent, and so sorry to not have free time to dig it, but I guess that using kernel capabilities should be the way to go.
A bit like what its happening for ping. Inside systemd service file you can also add capabilities # Example, if you use the iptables plugin alongside the dns or ping plugin: #CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN # # By default, drop all capabilities: # CapabilityBoundingSet= NoNewPrivileges=true Hope this give you a way to follow. -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/11/2017 04:33 AM, Larry Finger wrote:
Hi,
I need to get the permissions changed on program VBoxNATNetwork so that the host and other guests can connect to a given VM. In the past, this code had SUID privilege, but it was mistakenly removed. It should be restored. According to Oracle, I could remove hardening to eliminate the need for SUID, but that would open lots of security holes.
How should I go about requesting this change? Would filing a bug report and assigning it to Security be sufficient?
Thanks,
Larry
Yes assign a bug to the security team for a audit and once the audit is complete you can add the suid bit back. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
On Tue, Apr 11, 2017 at 10:20:11AM +0930, Simon Lees wrote:
On 04/11/2017 04:33 AM, Larry Finger wrote:
Hi,
I need to get the permissions changed on program VBoxNATNetwork so that the host and other guests can connect to a given VM. In the past, this code had SUID privilege, but it was mistakenly removed. It should be restored. According to Oracle, I could remove hardening to eliminate the need for SUID, but that would open lots of security holes.
How should I go about requesting this change? Would filing a bug report and assigning it to Security be sufficient?
Thanks,
Larry
Yes assign a bug to the security team for a audit and once the audit is complete you can add the suid bit back.
Correct, this is how it works. "According to Oracle, I could remove hardening to eliminate the need for SUID, but that would open lots of security holes." does not make sense to me. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/11/2017 01:53 AM, Marcus Meissner wrote:
On Tue, Apr 11, 2017 at 10:20:11AM +0930, Simon Lees wrote:
On 04/11/2017 04:33 AM, Larry Finger wrote:
Hi,
I need to get the permissions changed on program VBoxNATNetwork so that the host and other guests can connect to a given VM. In the past, this code had SUID privilege, but it was mistakenly removed. It should be restored. According to Oracle, I could remove hardening to eliminate the need for SUID, but that would open lots of security holes.
How should I go about requesting this change? Would filing a bug report and assigning it to Security be sufficient?
Thanks,
Larry
Yes assign a bug to the security team for a audit and once the audit is complete you can add the suid bit back.
Correct, this is how it works.
"According to Oracle, I could remove hardening to eliminate the need for SUID, but that would open lots of security holes." does not make sense to me.
"Hardening" is Oracle's term for enabling a lot of security in VirtualBox. For the most part, the term applies to the version for Windows hosts, but removing that feature does relax some security restrictions for Linux. Such relaxation is obviously not a good idea. Larry -- If I was stranded on an island and the only way to get off the island was to make a pretty UI, I’d die there. Linus Torvalds -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Apr 10, 2017 at 4:03 PM, Larry Finger
Hi,
I need to get the permissions changed on program VBoxNATNetwork so that the host and other guests can connect to a given VM. In the past, this code had SUID privilege, but it was mistakenly removed. It should be restored. According to Oracle,
What capability does it require ? you could use systemd ambientCapabilities setting to get what you want without SUID..
I could remove hardening to eliminate the need for SUID, but that would open lots of security holes.
That sentence does not parse well..I think they got it exactly backwards.
How should I go about requesting this change? Would filing a bug report and assigning it to Security be sufficient?
Yes. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Bruno Friedmann
-
Cristian Rodríguez
-
Larry Finger
-
Marcus Meissner
-
Simon Lees