https://bugzilla.novell.com/show_bug.cgi?id=429725
User mkudlvasr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=429725#c29
--- Comment #29 from Martin Kudlvasr
You mean you are going to drop the vboxusers group? I'd keep that even with the setuid programs. I'd keep that too. With permissions of VirtualBox set to rwsr-sr-- (root.vboxusers)
I meant, that in previous versions, vboxusers could access /dev/vboxdrv (kernel interface) directly, with their custom (haxor) tools. In the current suid version, users can access /dev/vboxdrv only through VirtualBox binary (/dev/vboxdrv can have 0600 permissions). We can harden it even more by allowing only vboxusers to execute VirtualBox binary.
I'll bring this issue up again in our team meeting on Monday to increase the priority of the audit.
Thanks
Doesn't work. The admin is supposed to only touch permissions.local. The other files are overwritten on update.
Ok, so he won't uncomment them, but will copy them to permissions.local. The goal is to have the lines ready for the admin somewhere. One more option: Choice 5: - add virtualbox suid permissions to permissions.iknowwhatido (or similar name). This way the user will be well informed, that there is a potential security risk. - document the risk connected to adding "iknowwhatido" to PERMISSION_SECURITY - mention the documentation in the error message, so that users won't be completely puzzled. - adding a single permission category just to solve this one case is not very systematic. My current order of preference: Choice 3, Choice 5, Choice 4, Choice 2, Choice 1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.