From nobody Wed Sep 29 18:17:18 2021 X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 13F8517D8C2F for ; Wed, 29 Sep 2021 18:17:35 +0000 (UTC) (envelope-from decke@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HKPjp70rDz4ffw for ; Wed, 29 Sep 2021 18:17:34 +0000 (UTC) (envelope-from decke@freebsd.org) Received: from mail-il1-f174.google.com (mail-il1-f174.google.com [209.85.166.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: decke) by smtp.freebsd.org (Postfix) with ESMTPSA id C8D432BF9B for ; Wed, 29 Sep 2021 18:17:34 +0000 (UTC) (envelope-from decke@freebsd.org) Received: by mail-il1-f174.google.com with SMTP id q6so3887775ilm.3 for ; Wed, 29 Sep 2021 11:17:34 -0700 (PDT) X-Gm-Message-State: AOAM530O2WvfG3gvqfBQdePBauFQ4fHQLkEgx+lHViGtqeX8quWTy9j3 P4O67hG900am0wruqNncocphCs3ZaHtuQ+l0jmC6qQ== X-Google-Smtp-Source: ABdhPJy6duPIkFZbSzO4agEzsZMqouy0eijQ7fG/+mmnF0RBz7szNO4+iRUTpmODuZ5P0asnz4XvmbJZKxUHWGY9Uu4= X-Received: by 2002:a92:d5c4:: with SMTP id d4mr853316ilq.184.1632939453998; Wed, 29 Sep 2021 11:17:33 -0700 (PDT) List-Id: Discussion List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-virtualization@freebsd.org X-BeenThere: freebsd-virtualization@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: =?UTF-8?Q?Bernhard_Fr=C3=B6hlich?= Date: Wed, 29 Sep 2021 20:17:18 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Running VirtualBox as non-root user To: Mario Lobo Cc: "freebsd-questions@freebsd.org" , freebsd-virtualization@freebsd.org Content-Type: text/plain; charset="UTF-8" X-ThisMailContainsUnwantedMimeParts: N On Wed, Sep 29, 2021 at 8:01 PM Mario Lobo wrote: > > Hi; > > Here is what I've done so far: > > - Created user vbox and put it in vboxuser group > - Went as far as chown -R vbox:vboxuser /usr/local/lib/virtualbox > - Executables are with the SUiD bit set > -r-s--x--- 1 vbox vboxusers 32064 Sep 21 22:18 VBoxSDL > -r-s--x--- 1 vbox vboxusers 16064 Sep 21 22:18 VBoxNetAdpCtl > -r-s--x--- 1 vbox vboxusers 32064 Sep 21 22:18 VBoxNetDHCP > -r-s--x--- 1 vbox vboxusers 32064 Sep 21 22:18 VBoxNetNAT > -r-s--s--- 1 vbox vboxusers 32352 Sep 22 17:55 VirtualBoxVM > > - Imported a test VM > - Ran the VM as root to make sure it's working > - started VirtualBox as user vbox, and it starts fine > > VirtualBox GUI starts fine as user vbox but when I try to start the test VM > from it, I get: > > Effective UID is not root (euid=1001 egid=920 uid=1001 gid=1001) (rc=-10) > where: SUPR3HardenedMain what: 2 VERR_PERMISSION_DENIED (-10) - Permission > denied. > > Starting it from VirtualBoxVM --startvm test issues the same error: > > VirtualBoxVM: Error -10 in SUPR3HardenedMain! > VirtualBoxVM: Effective UID is not root (euid=1001 egid=920 uid=1001 > gid=1001) > where: SUPR3HardenedMain > what: 2 > VERR_PERMISSION_DENIED (-10) - Permission denied. > > Any pointer for anything else I should be doing or is missing? Puh it's been a long time for me but from what I read there are two things that sound problematic to me. 1) vbox uses something that they call "hardening" which does some checks in addition to the suid/sgid bits. Changing permissions and/or user/group is asking for trouble! I'd recommend to reinstall the vbox package in that case. The instructions in the handbook should be enough. pw groupmod vboxusers -m yourusername 2) Starting a VM as root is definitely not a good idea either. The problem is that vbox it will create some temporary files/directories as root somewhere under /tmp or was it /var? When the VM is stopped the directories are left and you won't be able to write to them as user afterwards. If the VM is not running it should be okay to just delete them but please have a look at the content first to make sure. -- Bernhard Froehlich http://www.bluelife.at/