HOWTO PROHIBIT Users Creating New VMs?

[xobv]

Hi, we have 3 Ubuntu OS computers, with each WinXP Virtual Machines Guests in them. However the users can also create NEW VIRTUAL MACHINES.

How can I prohibit the Users of my Computers From Creating NEW / Other Virtual Machines in their OS?

I've tried from System>Administration>Users and Groups>

"uncheck Use Virtualbox" but the problem is, now they can't use hardware peripherals or USB devices, it's NO-USE. Please help.

Thanks for reading.

[mpack]

You could provide links to launch VMs directly, bypassing the VBox GUI - which would be hidden away somewhere. There is no way to completely prevent the ability to create new VMs (VBox provides no such feature), but that ability need not be advertised.

[xobv]

@mpack

Thank you for your reply. I will try this soonest. But I don't know how to do what you're saying:

You could provide links to launch VMs directly,

- I'm using an Ubuntu HOST, how do you do that? Thanks for your time.

[xobv]

@mpack

Hey I figured out of my laziness it's unfair because you helped me so I Googled and here's how to create those shortcuts to your virtual machines!

http://blarts.wordpress.com/2007/12/03/ ... -shortcut/

http://www.ubuntugeek.com/how-to-contro ... anage.html

Thank you very much for the idea man. God bless.

[mpack]

Well, I'll just add a warning to future readers that the some of the information given in those links is out of date - the first link in particular is way out of date (the correct path to VBoxManage.exe on Windows hosts has changed at least twice since then - I'm no expert on Linux and Mac hosts but I expect the same is true there as well). I note that the user manual deprecates the use of "VBoxManage startvm" but doesn't really offer a viable alternative. I do know that

Code: Select all

VirtualBox.exe --startvm <vmname>

can also be used, and perhaps this would retain the error reporting that the user manual warns about.

[xobv]

My problem now is if Users of the same Ubuntu Host Machine, they are ordinary users, type

VirtualBox

in the command line.

They can tinker with the settings of the Virtualbox.

How do you really protect your VirtualBox GUI?

[mpack]

The user must have access to the command in order to launch VMs. There's no way around that, and VBox does not provide piecemeal password protection of individual features.

[xobv]

Hi I thought of a quick and dirty fix.

If you're using Ubuntu Lucid Lynx

Backup first your VirtualBox command, it's found in /usr/bin/

sudo cp /usr/bin/VirtualBox /home/username

Then remove it entirely:

sudo rm /usr/bin/VirtualBox

There!

PS I hope someday they will make a feature to password protect the VirtualBox GUI! It makes sense.

[mpack]

How does that help you? If the VirtualBox command is inaccessible then it can't be used to run VMs either. Have you actually tried out your fix?

[xobv]

Hi mpack.

Yeah, I tried it and it works for me.

When I examined the ls -l of my /usr/bin/ I noticed that VBoxManage, VirtualBox, VBoxHeadless, VBoxSDL, etc... are all executable PATH variables.

So I decided to experiment and take away VirtualBox because it's actually the one that launches the GUI.

Then I made a startup script in my user's Startup Applications in Ubuntu, VBoxManage startvm MS XP, to automatically start a Guest OS (Windows), that doesn't necessarily go through a GUI or menu. Note: I've also tried making alias and creating a sudoer to launch VirtualBox, but none of them worked effectively, I was always able to make a workaround.

I also removed the CD Rom drive in my Guest OS'es because I don't want users to be able to boot from the CD by hitting F12 on startup of Guest OS.

When I was studying all these, I was only led to one conclusion, that the VirtualBox GUI, is the main security concern so to solve that problem, disable it and your security issues will fix themselves.

Finally chmod 700 VirtualBox so ONLY the owner can access the GUI again. You can launch it in Ubuntu, just go to where you put it and type ./VirtualBox. It's a good thing it's a script.

Hope this helps someone.