Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"virtualbox: Enable hardening by default" breaks VirtualBox #5283

Closed
4z3 opened this issue Dec 10, 2014 · 16 comments
Closed

"virtualbox: Enable hardening by default" breaks VirtualBox #5283

4z3 opened this issue Dec 10, 2014 · 16 comments
Labels
0.kind: bug Something is broken
Milestone
17.09

Comments

@4z3
Copy link
Contributor

4z3 commented Dec 10, 2014

Commit 3e49487 breaks VirtualBox (at least for users, I haven't tried it as root) by creating files in /root/VirtualBox VMs:

user$ nixos-version 
15.05pre54360.5c52382 (Caterpillar)
user$ VBoxManage createvm --name foo --register
Virtual machine 'foo' is created and registered.
UUID: be27b224-d905-4712-84e7-1aed13496d7e
Settings file: '/root/VirtualBox VMs/foo/foo.vbox'
user$ VBoxManage startvm be27b224-d905-4712-84e7-1aed13496d7e
Waiting for VM "be27b224-d905-4712-84e7-1aed13496d7e" to power on...
VBoxManage: error: The virtual machine 'foo' has terminated unexpectedly during startup with exit code 1 (0x1)
VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component Machine, interface IMachine

Reverting 3e49487 (as I did in 9dcdeed) yields the expected behavior:

user$ nixos-version 
15.05.git.9dcdeed (Caterpillar)
user$ VBoxManage createvm --name foo --register
Virtual machine 'foo' is created and registered.
UUID: 6c283577-029d-4ede-bf53-0ea00f2266f2
Settings file: '/home/user/VirtualBox VMs/foo/foo.vbox
user$ VBoxManage startvm 6c283577-029d-4ede-bf53-0ea00f2266f2
Waiting for VM "6c283577-029d-4ede-bf53-0ea00f2266f2" to power on...
VM "6c283577-029d-4ede-bf53-0ea00f2266f2" has been successfully started.

In both cases I use following configuration:

user$ grep -i virtualbox /etc/nixos/configuration.nix 
  #services.virtualbox.enable = true;
  services.virtualboxGuest.enable = false;
  services.virtualboxHost.enable = true;
vcunat referenced this issue Dec 10, 2014
@aszlig
virtualbox: Enable hardening by default.
3e49487 
VirtualBox with hardening support requires the main binaries to be
setuid root. Using VBOX_WITH_RUNPATH, we ensure that the RPATHs are
pointing to the libexec directory and we also need to unset
VBOX_WITH_ORIGIN to make sure that the build system is actually setting
those RPATHs.

The hardened.patch implements two things:

 * Set the binary directory to the setuid-wrappers dir so that
   VboxSVC calls them instead of the binaries from the store path. The
   reason behind this is because nothing in the Nix store can have the
   setuid flag.
 * Excempt /nix/store from the group permission check, because while it
   is group-writeable indeed it also has the sticky bit set (and also
   the whole store is mounted read-only on most NixOS systems), so we're
   checking on that as well.

Right now, the hardened.patch uses /nix/store and /var/setuid-wrappers
directly, so someone would ever want to change those on a NixOS system,
please provide a patch to set those paths on build time. However, for
simplicity, it's best to do it when we _really_ need it.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
@aszlig
Copy link
Member

aszlig commented Dec 10, 2014

Geesh, seems to only happen with VBoxManage directly, going to have a look at it later, thanks for reporting.

@domenkozar domenkozar added 0.kind: bug Something is broken 1.severity: blocker This is preventing another PR or issue from being completed labels Dec 10, 2014
@domenkozar domenkozar added this to the 14.12 milestone Dec 10, 2014
@aszlig aszlig self-assigned this Dec 10, 2014
@ambrop72
Copy link
Contributor

I'm seeing this just by starting VirtualBox. An error dialog with the same text also shows up.

[ambro@nixos:~]$ VirtualBox 
VirtualBox: Error -10 in SUPR3HardenedMain!
VirtualBox: Effective UID is not root (euid=1000 egid=1000 uid=1000 gid=1000)

VirtualBox: Tip! It may help to reinstall VirtualBox.

@aszlig
Copy link
Member

aszlig commented Dec 11, 2014

@ambrop72: Did you start it using the setuid wrapper? What does type VirtualBox give?

@ambrop72
Copy link
Contributor

Forgot to say that I don't use the virtualbox nixos service. I just:

  • Add config.boot.kernelPackages.virtualbox to boot.extraModulePackages and environment.systemPackages.
  • Add the vbox kernel module names to boot.kernelModules.
  • The udev rules.

I know this is not a supported configuration. But I don't want to use the virtualbox-host nixos service because it uncodnitionally sets up a network interface.

I see that this module does add a setuid wrapper around VirtualBox which I do not have. I'm wondering, why did it work before (4.3.18 I think)?

@aszlig
Copy link
Member

aszlig commented Dec 11, 2014

Ah, you might want to add config.boot.kernelPackages.virtualbox.override { enableHardening = false; } to extraModulePackages and systemPackages instead.

But since we now have a NixOS module for VirtualBox it might be a good idea to allow disabling the set up of the vboxnet interface.

@ambrop72
Copy link
Contributor

I went with the disabling approach, works okay now, thanks! #5300

@aszlig
Copy link
Member

aszlig commented Dec 12, 2014

@iElectric: This is not solved yet! Currently working on a fix and a test.

@aszlig aszlig reopened this Dec 12, 2014
@Fuuzetsu
Copy link
Member

My VBox is also broken although I'm not sure if by the commit in question and if even same problem. NS_ERROR_FACTORY_NOT_REGISTERED is given if I try to start it up.

@aszlig aszlig closed this as completed in 0d71ec8 Dec 13, 2014
aszlig added a commit that referenced this issue Dec 13, 2014
@aszlig
nixos/virtualbox: Fix setuid wrappers.
2460b40 
We only need to have setuid-root wrappers for VBox{Headless,SDL} and
VirtualBox, otherwise VBoxManage will run as root and NOT drop
privileges!

Fixes #5283.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
(cherry picked from commit 0d71ec8)
@Fuuzetsu
Copy link
Member

FTR my issue was due to some permissions going wrong on /tmp/.vbox-$USER-ipc in case anyone wonders in the future. Removing the file made the problem fix itself.

And pushed fix works for the issue at hand too ;)

@lucabrunox
Copy link
Contributor

I think this is going to be more painful than what it seems. We still don't know if every old virtualbox usage works after the hardening has landed. I suggest to remove virtualbox hardening from 14.12, and let it settle in master for future backport in 14.12 cc @iElectric

@sjau
Copy link

sjau commented Feb 27, 2017
edited
Loading

Hi there

on current unstable I do now get the same error:

Effective UID is not root (euid=1000 egid=100 uid=1000 gid=100) (rc=-10)

Please try reinstalling VirtualBox.

where: SUPR3HardenedMain what: 2 VERR_PERMISSION_DENIED (-10) - Permission denied.

In the config I have:

    # Enable Virtualbox
    virtualisation.virtualbox.host.enable = true;
    boot.kernelPackages = pkgs.linuxPackages // {
        virtualbox = pkgs.linuxPackages.virtualbox.override {
            enableExtensionPack = true;
            pulseSupport = true;
        };
    };
    nixpkgs.config.virtualbox.enableExtensionPack = true;

[...]
        extraGroups = [ "networkmanager" "vboxusers" "wheel" "audio" "cdrom" ]; # wheel is for the sudo group

@vcunat
Copy link
Member

vcunat commented Feb 27, 2017

I suspect it's #22914

@sjau
Copy link

sjau commented Apr 7, 2017

Unfortunately #22914 didn,'t help. Sill have the same issue:

17.09pre105060.0a6a06346a (Hummingbird)
nix-env (Nix) 1.11.8
"17.09pre105060.0a6a06346a"

@vcunat vcunat reopened this Apr 7, 2017
@fpletz fpletz modified the milestones: 17.09, 14.12 Jul 25, 2017
@fpletz fpletz mentioned this issue Jul 25, 2017
Closed
@aszlig
Copy link
Member

aszlig commented Sep 14, 2017

@sjau: Is this only the case when you're enabling the extension pack?

@aszlig aszlig removed their assignment Sep 14, 2017
@sjau
Copy link

sjau commented Sep 15, 2017

meanwhile it works again for me.

@fpletz fpletz removed the 1.severity: blocker This is preventing another PR or issue from being completed label Sep 25, 2017
@vcunat
Copy link
Member

vcunat commented Oct 16, 2017

Let's close until someone can reproduce it (again).

@vcunat vcunat closed this as completed Oct 16, 2017
@karkusviktor karkusviktor mentioned this issue Mar 4, 2024
Open
adrianpk added a commit to adrianpk/nixpkgs that referenced this issue May 31, 2024
@adrianpk
nixos/virtualbox: Fix setuid wrappers.
6aa2caa 
We only need to have setuid-root wrappers for VBox{Headless,SDL} and
VirtualBox, otherwise VBoxManage will run as root and NOT drop
privileges!

Fixes NixOS#5283.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
(cherry picked from commit 0d71ec8)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug Something is broken
Projects
None yet
Milestone
17.09
Development

No branches or pull requests
9 participants
@fpletz @domenkozar @aszlig @4z3 @lucabrunox @sjau @Fuuzetsu @vcunat @ambrop72