virtualbox.org

Securing Ubuntu by changing file permissions can stop VirtualBox working

Hi, this is part question part information.

I'm using VirtualBox 2.2.4 on a machine running Ubuntu 8.04.

After doing some research on making Ubuntu more secure I changed the permissions on the following files to 0700.

/usr/bin/who
/usr/bin/w
/usr/bin/finger
/usr/bin/locate
/usr/bin/whereis
/usr/bin/vi
/usr/bin/which
/usr/bin/gcc
/usr/bin/g++
/usr/bin/cc
/usr/bin/make
/usr/bin/apt-get
/usr/bin/aptitude
/usr/bin/telnet
/bin/ping
/bin/nano

This caused VirtualBox to stop working but if I tried running it as root it worked.

I have managed to overcome this problem by changing the group associated with the following files and changing their permissions to 0750. VirtualBox now works.

My question is does anyone know exactly which of the above files VirtualBox needs to access in order to run?

Thanks very much.

Guesswork!
In probability order:

good candidates:
/usr/bin/who
/usr/bin/w

possibly:
/usr/bin/which
/usr/bin/whereis

don't think so:
/usr/bin/finger
/usr/bin/locate
/usr/bin/vi
/usr/bin/gcc
/usr/bin/g++
/usr/bin/cc
/usr/bin/make
/usr/bin/apt-get
/usr/bin/aptitude
/usr/bin/telnet
/bin/ping
/bin/nano

Also it's pretty pointless to do it like this. If you allow ssh and scp they could fetch anything somewhere else.
What are you trying to protect from?

Thanks Baf

I'm fairly new to Linux so I feel I'm at the point where I know enough to know how much I'm ignorant of, if that makes sense. Consequently I'm doing a lot of researching.

I found a few sites that recommended that doing this was a way to make Ubuntu more secure but they didn't say what they were protecting against.

Anyway I'll experiment with those and see and post how I got on.

Thanks again Baf

I have tested those which you thought were good candidates and it seems that it is only /usr/bin/whereis that VirtualBox needs to access.

So if there are any other people out there who are trying to secure their system more by applying more restrictive permissions to files please be aware that if the file permissions on /usr/bin/whereis are too restrictive VirtualBox will not load.

If you want to keep the permissions on /usr/bin/whereis restrictive I would suggest that you set the permissions to 0750, change the group associated with the whereis (e.g. vboxusers) file and make sure that any users that are going to use VirtualBox are members of the group that you have assigned to whereis.