I've been having the same problem on my Ubuntu Gutsy server.
Until there's a better way of sorting this out, best practice for now is to add the username that you are running virtualbox under to the shadow
group by manually editing the "/etc/group-" (note the minus sign at the end). Find the line "shadow:x:42:" and add the username to the end.
This at least reduces the security hole by allowing only one extra user access rather than everyone.
As far as I can make out after lots of reading on the net, it seems that PAM modules are run with the calling process's UID. Therefore when VBoxVRDP calls login (Specifically the pam_unix.so PAM library) with UID "username", the library cannot access the root-only /etc/shadow.
I can't find a better way to fix this at the moment, but would love to hear about one if it exists. Maybe pam_unix.so could be made SUID root, but would this open a bigger security hole than the above? Security experts, please comment!
OK scratch the above, it stopped working after a reboot...
Had another go and making the VBoxVRDP binary SETGID shadow seems to solve the problem. Again, I'm not sure of the security implications, so I'd like anyone with more experience to comment, but it seems to my mind that having only one process with shadow abilities is even better than one user (Above) and infinitely better than everyone.
I did the following:
- Code: Select all Expand viewCollapse view
sudo chown root:shadow VBoxVRDP
sudo chmod 2755 VBoxVRDP
I think this is the right way to go about it.
This method has worked fine after a reboot.