| Summary: | Failure to create host-only network | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Guillaume Rousse <guillomovitch> |
| Component: | RPM Packages | Assignee: | Thomas Backlund <tmb> |
| Status: | NEW --- | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, doktor5000, mageia, marja11 |
| Version: | Cauldron | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | virtualbox | CVE: | |
| Status comment: | |||
| Bug Depends on: | 30381 | ||
| Bug Blocks: | |||
|
Description
Guillaume Rousse
2021-11-01 13:40:30 CET
Assigning to the registered maintainer. Assignee:
bugsquad =>
tmb
Marc Krämer
2022-05-05 15:04:34 CEST
Depends on:
(none) =>
30381 I'm in a similar situation. /dev/vboxnetctl can't communicatio with the user. Just try to open the file as user (if permissions are set): cat /dev/vboxnetctl cat: /dev/vboxnetctl: Operation not permitted and this is pretty the same VBox shows: VBoxNetAdpCtl add VBoxNetAdpCtl: Error while adding new interface: failed to open /dev/vboxnetctl: Operation not permitted when it tries to open and communicate with the kernel driver. I assume the kerneldriver itself is checking some permissions or operations on the guest are not permitted as the must, in order for the kmod to create a new interface. CC:
(none) =>
mageia running a bit through the source code, I found this bit here:
* Device open. Called on open /dev/vboxnetctl
...
#ifdef VBOX_WITH_HARDENING
/*
* Only root is allowed to access the device, enforce it!
*/
if (!capable(CAP_SYS_ADMIN))
...
return -EPERM;
that explains, why users are unable to communicate with /dev/vboxnetctl
But what is the correct way on enabling devices, if VirtualBox is not run as root?!
ls -la /usr/lib64/virtualbox/VBoxNetAdpCtl
-r-s--x--x 1 root root 33312 Apr 21 21:23 /usr/lib64/virtualbox/VBoxNetAdpCtl*
=> VBoxNetAdpCtl is running as setuid - so why does this return "Operation not permitted" - I assume CAP_SYS_ADMIN does not work for setuid programs?!
try with virtualbox-6.1.34-1.10.mga8 in updates_testing. you need to reboot after to ensure you get proper privilegies... and you must ensure your user is part of vboxusers... I'm still debating with myself if access to vboxnet changes should be protected by a separate group... to keep privilegie separation more fine-grained... As root run virtualbox. Select File/Host Network manager, then create a host only adapter. Then as a user, use the settings for the vboxguest to add the network adapter to the guest. Note that multiple users can have vb guests talking to each other over the host only adapter. Since it can be used by multiple users, the adapter itself must be created by root. CC:
(none) =>
davidwhodgins I think this bug should be closed as invalid as it's working as intended. While it's a change from prior versions, it appears to be intentional. I'll leave it to tmb to decide. By running virtualbox as root to create the host only network, it created ...
$ cat /etc/sysconfig/network-scripts/ifcfg-vboxnet0
DEVICE=vboxnet0
BOOTPROTO=dhcp
ONBOOT=yes
$ ip link|tail -n 2
5: vboxnet0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
The above two commands are both on the host.
@Dave: sure they are created. Did you try to use the interface after reboot? Seems by default vboxnet0 is not recreated on reboot.
Two options I've found to get it created. Run VirtualBox as root after reboot,
though you don't have to do anything with it.
Add the following line to /etc/rc.d/rc.local (create the file and mark it
executable if it doesn't already exist.
VBoxManage list hostonlyifs
Either running Virtualbox after reboot, or adding the above line and rebooting
results in ...
$ ip link|tail -n 2
5: vboxnet0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
It would probably be better to have /etc/sysconfig/network-scripts/ifup-eth run the VBoxManage command if ifcfg-vbox* exists, as an enhancement request. I don't know why/what. Just compared mga with another pc running debian. vboxnet interfaces are recreated after reboot and work. And this worked in mga before. I did an update of mga6 (where it worked) to mga8. It seems linked somehow to the virtualbox hardening. I rarely use this image, but I really think this should work somehow. I'm ok, if root has to create the interface via virtualbox, but the interface should work after reboot, without running VirtualBox as root again. I usally don't give root passwords to normal users..... I don't know what the hardening was done to fix, but I think it's safe to assume it's a security issue. Adding "VBoxManage list hostonlyifs" to /etc/rc.d/rc.local ensures the users do not need to be given the root password.
Florian Hubold
2022-07-19 21:38:59 CEST
CC:
(none) =>
doktor5000 |