Mailinglist Archive: opensuse-bugs (4297 mails)

< Previous Next >
[Bug 1041117] New: VirtualBox as a default user: needs extra permissions, USB passthru security risk, missing /dev/vboxdrv
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Sat, 27 May 2017 22:07:40 +0000
  • Message-id: <bug-1041117-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1041117


Bug ID: 1041117
Summary: VirtualBox as a default user: needs extra permissions,
USB passthru security risk, missing /dev/vboxdrv
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.3
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Virtualization:Tools
Assignee: virt-bugs@xxxxxxx
Reporter: moritzrakow@xxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Created attachment 726708
--> http://bugzilla.opensuse.org/attachment.cgi?id=726708&action=edit
USB passthru warning on VirtualBox start

## Overview

Starting a virtual machine does not work out of the box. In the default config,
the user needs extra privileges (vboxusers), there is a USB passthru security
issue, and the virtual machine does not start because of a missing kernel
module.

## Steps to reproduce

1. install the virtualbox package.
2. Attempt to start virtualbox.
3. Add yourself to the vboxusers group.
4. Log out, log back in again.
3. Start virtualbox a second time, and click away the security warning about
USB passthru. It links to Bug 664520.
4. Create a virtual machine, e.g. with the Leap 42.3 Beta Net ISO.
5. Try to start the virtual machine.

## Actual results

By default, the user is not permitted to run VirtualBox. Not sure if this is
intended behaviour, but the user has to take additional steps to even start the
application.

The message about the USB security hole pops up (screenshot attached), but
rather than pressing enable/disable USB, the only button is "OK". The default
choice is to accept the security risk and do nothing. The message ends with an
encouraging "This message will not be seen again!". The recommendation is to
edit /etc/udev/rules.d/60-vboxdrv.rules but the user has not the permissions to
do so.

Should the default behaviour not be to avoid the security risk, with an option
somewhere to *enable* USB passthru? Should a warning message like this not be
able to be shown a second time and the information be displayed next to the
relevant settings option?

Then, there is an error when starting the virtual machine:

The VirtualBox Linux kernel driver (vboxdrv) is either not loaded or there
is a permission problem with /dev/vboxdrv. Please reinstall the kernel module
by executing '/sbin/vboxconfig' as root.

/dev/vboxdrv does not exist.

## Expected result

A user will by default be allowed to start VirtualBox.

The default configuration will be to avoid the USB passthru security risk, with
an explanation for those choosing to *opt in*. It should not require root
privileges to opt out of a security risk, in this case by editing
/etc/udev/rules.d/60-vboxdrv.rules

Starting a virtual machine will not fail because something else needs to be
installed.

## Build and hardware

USB/DVD iso on 64bit laptop, updated to build 0253.

## Additional comments

Maybe there are good reasons to not include users by default in the vboxusers
group and to enable USB passthru.

Regardless, the warning message is not very useful, advocating one thing
(disable USB passthru), but making the opposite the default which is not easy
to change.

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >