[Pkg-virtualbox-devel] Bug#760574: Access to Virtualbox should be limited to a group of users
Evgeny Kapun
abacabadabacaba at gmail.com
Fri Sep 5 13:50:44 UTC 2014
Package: virtualbox
Version: 4.3.14-dfsg-1
Tags: security
Virtualbox has a lot of code. Virtualbox has five setuid root binaries and four kernel modules. Virtualbox has a large attack surface. And yet any user can run Virtualbox. Not just real users, but also accounts used for running web applications and other potentially untrusted code. All of them may try to exploit Virtualbox to elevate their privileges or at least break system's networking (see bug #760569).
There is already a vboxusers group, but it only controls access to USB devices. There should be a different group such that users outside that group can't run Virtualbox at all. They just shouldn't have a permission to execute Virtualbox binaries (at least those that are setuid root). They also shouldn't be able to access Virtualbox device nodes in any way. This way, even if Virtualbox has a privilege elevation flaw, most users wouldn't be able to make any use of it.
More information about the Pkg-virtualbox-devel
mailing list