Raw Disk Privilege Escalation for Root Owned Devices

[Haravikk]

Currently when VirtualBox is asked to use a raw-disk .vmdk for which the current user has insufficient permissions for the target device, it simply returns an error (VERR_ACCESS_DENIED). I'd like to propose that instead it should first request privilege escalation as root, via the appropriate means for the host platform, and only fail if this is cancelled.


This is important especially on Mac OS X, where I tried to create a VM for launching my Windows partition. As root I created a suitable raw-disk .vmdk, and changed its permissions to the user I run Virtual Box under. However, when I try to add the disk I get the VERR_ACCESS_DENIED error, as the target device (/dev/disk0) is only accessible as root. In the past this could be worked around (but not advisedly so) by changing permissions for /dev/disk0, however with El Capitan (and now Sierra) the System Integrity Protection feature prevents this unless the SIP file-system protection is disabled which is far from recommended.

Anyway, neither of these workarounds should be necessary if Virtual Box gains the ability to ask for root access for raw disks, as this should be sufficient to access them. Other VM solutions such as VMWare Fusion work this way so I believe that this should be all that's required for VirtualBox to support Bootcamp VMs on the latest versions of Mac OS X, without having to have users disable SIP or mess around with device permissions (which isn't a good idea to begin with).


I'm not sure how this applies on Linux hosts and such, as I only use these as guest OSes, but I imagine this capability would be useful for them as well. I don't know anything about the procedures involved when VirtualBox accesses a raw disk, so hopefully someone can weigh in on how complex this change would be in practice; it sounds simple when phrased "just do it through sudo" but I know from experience it may not be as easy as that in practice

[Martin]

In Linux you just add your user to the "disk" group to assign the correct access rights.

[scottgus1]

For Windows, the going advice (not tested by me as I have not done raw access, but others have confirmed it) is to right-click the Virtualbox shortcut and pick "Run As Administrator". There is a checkbox for this in the Compatibility tab for Virtualbox.exe, to "Run as Administrator" all the time.

[Haravikk]

In Linux you just add your user to the "disk" group to assign the correct access rights.

Ah, I didn't know that, so it sounds like this would mostly benefit the Mac side.

Still, this would be useful on Linux since it would only require access on-demand, rather than being permanently added. Same with Windows; I don't think an app should *have* to be run as Administrator, presumably there's some way to request escalation only when needed rather than running as admin all the time?

[Perryg]

Actually all that is required with Linux is to have the tag "-relative" in the creation of the VMDK. I would assume the same would be true for Mac but have never tried it.

See http://www.virtualbox.org/manual/ch09.html#idm7067

[Haravikk]

Actually all that is required with Linux is to have the tag "-relative" in the creation of the VMDK. I would assume the same would be true for Mac but have never tried it.

Ah, didn't know about that option! Unfortunately it doesn't appear to be present on the Mac version of VBoxManage
I wonder what the reason for that might be though, is it something that could be added for Macs as well?