Protecting a Host Only Network Interface
Posted: 2. Sep 2010, 12:09
Hi,
in the 2.x branch of VB we used a TAP device created by the 'VBoxTunctl' command shipped with VB. In the 3.x branch (or 3.2.8 as we currently use) an Interface of that type can no longer be used for Host Only Networking, instead we're supposed to use vboxnet0 etc. interfaces. These can be created with the 'VboxNetAdpctl' command. When adding a new one, the name cannot be specified, but only gets incremented compared to how many interfaces currently exist. When using the "VBoxnetAdpctl <adapter> <address>" command, then adapter's address changes on the system, but changes back to whatever it was before as soon as you start a VM using that Interface (possible bug)? The solution is to use 'VBoxManage hostonlyif ipconfig ...'
Major Question: The core problem we're facing is that these vboxnet0 adapters can be created by anyone who has the privileges to run VMs. But they also have the possibility to remove interfaces, also the ones created by others, which might be used by them. Is there a way to make the behavior more like VB 2.x? So that root can create interfaces that are only modifiable by root, but can be used by all users? I'm guessing that removing SUID permissions from the VBoxNetAdpctl command would stop users from being able to change anything with Host Only Interfaces? But then they'd get nasty errors, and would not be able to create Interfaces for their own use, which is a pity.
Minor question: If it's no longer supported for HostOnly Interface use, why is 'VBoxTunctl' included in the newer versions of VB?
Cheers,
Anders
in the 2.x branch of VB we used a TAP device created by the 'VBoxTunctl' command shipped with VB. In the 3.x branch (or 3.2.8 as we currently use) an Interface of that type can no longer be used for Host Only Networking, instead we're supposed to use vboxnet0 etc. interfaces. These can be created with the 'VboxNetAdpctl' command. When adding a new one, the name cannot be specified, but only gets incremented compared to how many interfaces currently exist. When using the "VBoxnetAdpctl <adapter> <address>" command, then adapter's address changes on the system, but changes back to whatever it was before as soon as you start a VM using that Interface (possible bug)? The solution is to use 'VBoxManage hostonlyif ipconfig ...'
Major Question: The core problem we're facing is that these vboxnet0 adapters can be created by anyone who has the privileges to run VMs. But they also have the possibility to remove interfaces, also the ones created by others, which might be used by them. Is there a way to make the behavior more like VB 2.x? So that root can create interfaces that are only modifiable by root, but can be used by all users? I'm guessing that removing SUID permissions from the VBoxNetAdpctl command would stop users from being able to change anything with Host Only Interfaces? But then they'd get nasty errors, and would not be able to create Interfaces for their own use, which is a pity.
Minor question: If it's no longer supported for HostOnly Interface use, why is 'VBoxTunctl' included in the newer versions of VB?
Cheers,
Anders