[Pkg-virtualbox-devel] Bug#585951: virtualbox-ose: should not be set suid

Frank Mehnert Frank.Mehnert at Sun.COM
Tue Jun 15 07:04:34 UTC 2010


You are correct that these binaries are suid root but your deduction
is wrong. These binaries need access to a kernel interface which is
provided by the VirtualBox kernel modules. This interface can be used
to harm complete machine including the kernel. So the access to this
interface must be restricted.

It is NOT sufficient to restrict the access to this kernel interface
to certain users (by choosing proper permissions for /dev/vboxdrv)
but it must be restricted to certain applications as well. The usual
practise for doing so is to make the binary suid root. The binary
will open the restricted interface and will then drop the privileges
immediately keeping the interface open. This guarantees that only
dedicated applications can access this kernel interface.

Kind regards,

Frank
-- 
Dr.-Ing. Frank Mehnert

Sitz der Gesellschaft:
Sun Microsystems GmbH, Sonnenallee 1, 85551 Kirchheim-Heimstetten
Amtsgericht München: HRB 161028
Geschäftsführer: Jürgen Kunz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20100615/160ae889/attachment.pgp>


More information about the Pkg-virtualbox-devel mailing list