Using a firefox profile from a shared folder

[Noobster739]

No matter whether I mount as root or as user Firefox complains about the places file being locked.
However, lsof does not show any file handle from another software to the profile folder.

If I cat a file - no problem
If I delete a file - no problem


What might be the issue, it must be something about the vboxsf-mount.

This is not a new issue, See Topic 42404 (I am not allowed to post URLs)

[socratis]

Are you trying to use VirtualBox Shared Folders for that? Don't. It wont work.

VirtualBox's Shared Folders present a very simplified file system implementation, just enough to read/write files from/to the guest. Many applications can error when using Shared Folders, because they expect advanced features, for example file locking, access controls, etc., which don't exist as a concept for Shared Folders.

Use a proper network share, SMB, NFS, etc...

[Noobster739]

If I do a flock on the mounted folder I get the lock without issues - doesnt that mean that locking works?
I can chmod the files on the mounted Folder - doesn't that mean access controls are working?

My host is a Windows client. By now I use simple NATing. For security reasons I dont really want my host system exposed to the VM.
Even more I think about applying this to a VM that routes all traffic through a VPN and therefore is not able to access the local network or the host using IP.

What is the easiest way to provide a file server ONLY accessible from the VM without allowing any other access? As CIFS/SMB was a proper attack surface time and time again, I'd rather prefer to use something else.

EDIT: Is there something like a virtual USB device (Thumbdrive) I can use?!

[socratis]

If I do a flock on the mounted folder I get the lock without issues - doesnt that mean that locking works?

I won't have the slightest idea. The point is that the VirtualBox Shared Folders (VSF) are not your typical filesystem. Expect things to break...

I can chmod the files on the mounted Folder - doesn't that mean access controls are working?

They can't. You're on a Win Host. Do you think that the files in your Win Host have the ACLs that your VM has? No way...

For security reasons I dont really want my host system exposed to the VM.

There's no such thing if your guest has any sort of networking, except "Internal" networking. See the overview table in ch. 62 of the online PDF manual: https://download.virtualbox.org/virtual ... ection.6.2

What is the easiest way to provide a file Server ONLY accessible from the VM without allowing any other access?

How can you provide a file-server, yet not have the host exposed (previous point)? I don't get it...

[Noobster739]

I'm looking for a simple way to solve this without breaking the security model - so I'm looking for different options.

I just tried a veracrypt container and failed - the container cannot be mounted from the mounted shared folder.
I tried ImDisk to create a virtual USB thumbdrive in order to pass this usb device to the VM, but VBox does not seem to recognize that device (at least not as a USB device)

[socratis]

Not sure what you have in mind about your "security model", but if there's a connection between two computers, none of them can be truly secure. You just take your standard protective measures, and think straight! Don't go paranoid!

And I don't see how "encrypted containers" would help in security...

[Noobster739]

The encrypted container is not about security in this case. I just tried to circumvent the limitations of the VBox shared folders implementation by having a container in the shared folder and mount it - because Firefox has no issues using a profile that is stored in a mounted container - however as I said mounting is not possible, either.

The risk of escape-to-hypervisor is much lower than the risk of an attack via SMB. I use VMs for higher-risk activities such as web browsing. Now I want to reset the VM after usage but keep history and bookmarks.

What do you have in mind talking About " standard protective measures" ? Patch your Software, have an antivirus and hope not to stumble upon a zero-day?

[socratis]

Patch your Software, have an antivirus and hope not to stumble upon a zero-day?

And watch where you're "walking", but yeah, that's pretty much the idea. Treat it like you'd treat your host.

As for replacing SMB, you can try an FTP server. Or a USB stick. Or share something from your guest rather than your host. Convenience vs. isolation...

And I really hope that you're not accessing the same Firefox profile from host and guest...

[Noobster739]

"watch where youre walking" is pretty outdated in my opinion. keyword: malvertising...

USB Stick would be nice, if I could have a virtual one. Having a physical USB stick attached to the notebook permanently for this is not what I would prefer to do.

The idea is to not use a browser on the host at all.

[Dave B]

Hi Noobster739,

Tried some tests

1. Using Firefox profile from a virtual USB drive while using snapshots has the following limitation, when a snapshot is restored, attached virtual USB drive is also restored losing any added bookmarks / changes.

2. While not the best approach, have no issues here using a Firefox profile from shared folder ((VirtualBox 6.0.0) could be due to using GNU/Linux as host and guest), bookmarks and changes are preserved while using snapshots.

Since you're not able to use your Firefox profile from shared folder, maybe consider a different approach, write a Firefox launcher script which copies the profile from the shared folder, launches Firefox, then writes it back as Firefox closes? Not the most elegant, but provides a workaround with the following caveat, Firefox must be closed before snapshot is restored, or any Firefox changes will be lost.

- Firefox launcher script overview (script is intended for after you have already copied your Firefox profile to the shared folder)

1. if Firefox profile ~/.mozilla exists remove it
2. copy /media/sf_shared/.mozilla to ~/
3. launch Firefox
4. if Firefox profile /media/sf_shared/.mozilla exists remove it
5. copy ~/.mozilla to /media/sf_shared/

Script could be expanded to first create a backup, then delete, rename backup and so forth...

Recommend (using the guest) create a new Firefox profile to test the above script idea, rather than risk losing your current profile.

[Noobster739]

Thank you for this idea. Copying the files back from shared folder seems to result in a broken profile for reasons that I did not debug yet.

[Air Force One]

Hi Noobster739,

Is this something like ticket 17626?