Connection through unplugged network possible

[DdB]

This observation is from 4.3.28, infrastructure not yet ready for the upgrades (*.30 or 5.*):

A vm used to do processing after being filled with data and then disconnected (logically) from the net...
...to elaborate: 2 network cards configured to the vm, one host only, to access shared folders, one bridged to access the net (in case a software update is necessary), the second usually disconnected (from the GUI).

This used to provide some isolation from the net for critical data like passwords. Now, in 4.3.28, this does no longer isolate and secure the data, since it is now possible to connect through a network card, even though it is (logically) disconnected. To remove the network card from the vm configuretion instead still seems to work, but may also increase error-rate for the user in the process.

I did not take the time to check, how wide-spread this regression bug is showing, while still in shock as of the very real possibility of the password database being leaked out by untrustworthy software, that had been locked down by the vm before!

[DdB]

I forgot to say:

the host-only network is still disconnected (but configured) while the 2nd net is unconfigured. Thus i would NOT expect there to be access to the shared folders at this time, yet they are (and even writeable). Very irritating, because the procedure up to this point had been:

disconnect net1, reboot -> no shared folders anymore
connect net2 -> access software updates
disconnect net2, connect net1, reboot -> safe again

Now (still on *.28) the shared folders remain accessible while both networks appear as being disconnected. That could have been introduced while fixing intermittent disconnection bugs from earlier releases?

[mpack]

These are user forums. Did you raise this in a BugTracker ticket for the devs to see?

[DdB]

These are user forums. Did you raise this in a BugTracker ticket for the devs to see?

No, in my understanding, Oracle accepts feedback of this kind only, if i have a payed support contract. And anyhow, i'd prefer someone to reproduce this before this gets escalated.

Do i understand correctly, in this user forum i should keep quiet concerning possible problems/bugs with the PUEL version of vbox? n.p. - just intended to help.

[Martin]

Are you sure that the shared folders were not available in earlier versions without a network card?
Vbox shared folders were never using a network card connection. They work "internally" through guest addition features.

[DdB]

They work "internally" through guest addition features.

Interesting. No easy way to check this now. But the documentation is confirming your take: from https://www.virtualbox.org/manual/ch04.html

Much like ordinary Windows network shares, you can tell VirtualBox to treat a certain host directory as a shared folder, and VirtualBox will make it available to the guest operating system as a network share, irrespective of whether guest actually has a network.

Will have to rethink... Thx for the hint.

[mpack]

These are user forums. Did you raise this in a BugTracker ticket for the devs to see?

No, in my understanding, Oracle accepts feedback of this kind only, if i have a payed support contract.

I'm not quite sure where you got that idea. By providing them with a reproducable bug report you are helping them improve the software for their paying customers, this is part of why get to use the software for free.

The only thing that a support contract gets you is a right to support. Anybody can report a bug, but only those with a support contract are entitled to any kind of priority response.

On the other hand, if you fail to raise a bug ticket then there is a good chance that the devs will never be aware of the problem, which is a good way to ensure that you never see a fix.

[DdB]

By providing them with a reproducable bug report you are helping them improve the software

That was my intention, last time i tried... it was simply too hard to get the message through. Cannot remember the details, because i reverted to local workarounds since then. (I had 5 (!) for the 4.2.x release in place and would have been fond to share...) But it all begins with single-sign-on, lots of agreements i wasnt willing to accept, let alone reveal privacy info. And i have a couple of bad memories from my days as a professional. I just dont seem to fit into the frame of expectations.

But luckily, this time, it is all different: i caught myself in a pit: misunderstanding the intended functionality. So no bug at all, it is a feature.

Thank you for your attention.
DdB