GA shared folder and trust by a Windows XP guest
Posted: 19. Jul 2014, 21:14
Hello,
Summary
Netiquette
Before posting I've read "Rules and FAQ", "The Forum Posting Guide", "Manual 4.3. Shared folders", "Minimum information needed for assistance", "VirtualBox Limits", "The QuickClick FAQ (shortcuts)".
System information
* Using VirtualBox 4.3.10-dfsg-1 from regular Ubuntu 14.04 packages.
* Guest additions installed, v 4.2.16 then 4.3.10.
* Guest log file attached.
Context
I'm developing a dot NET 4 (C#, WinForms) application using VS2010 on XP in a VirtualBox Virtual Machine, Ubuntu 14.04 host.
Developing inside the regular filesystem of the virtual machine works fine.
Motivation
It's interesting to actually have all variable files (project source tree, etc) on a VirtualBox GA (Guest Additions) shared folder.
Advantages:
* safely keep a few snapshots of tools installation in VM, no need to keep more VM state. No more snapshots growing and filling the host because of big generated build trees. You can even tell VirtualBox to revert to latest snapshot on power off. You'll still have all the tools you need and resume work on your projects on shared folder.
* project source tree is available when VM is off.
* source tree is safe even if VM crashes or gets broken -- this happened this week. (Yes I'm using git correctly.)
* plus some more convenience allowed by having symlinks in host side of shared folder nicely present a consistent view to the VM from various places on host.
Why a GA shared folder instead of a network share ? Simple, secure.
* Very easy to set up on the guest, follow the manual.
* Easier to setup on the host than network drives, especially a Linux host. I've no need for Samba on my machine. GA Shared folder just work.
* Using a regular network share would turn this into a pure Windows issue of trusting a network share ... which I've tried without satisfaction. Solutions for that problem should also work on a GA shared folder, shouldn't they ? See below.
Security gets in the way
Technically, the GA shared folder works flawlessly. I had none of the problems that some people reported on VS2008, on Mac hosts, etc (save failure, files disappearing). Everything works here.
Only, Windows XP considers that the GA shared folder is less trusted than virtual filesystem.
This prevents some parts of the compilation with security errors, and the program from actually running, with security errors again, not technical failures.
Had the shared folder been an actual network drive, that would be logical default security policy.
In this particular case, the shared folder being my host, it's rather more trusted than the virtual filesystem (performance, security, robustness).
Attempts at fixing
Local fix do work, for example adding a C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin\NETFX 4.0 Tools\sgen.exe.config with content:
... allows to compile fine. This step is fixed.
But more problems happen because the folder itself is untrusted.
The program runs, can be debugged, but gets exceptions related to security.
I've tried dot net level fixes, like caspol. Some progress but that's a can of worm. "I've given all I can It's not enough." Official resources are about deployment, not developing on a network drive. And these are off-topic in this case. The target software being maintained is already deployed to local drives and that works, no security concerns. This is really off-topic.
Anyway, fixing each step because the folder is untrusted looks like it's not a good design.
The only problem is: shared folders are claimed to be untrusted, which seems an unnecessary thorn in the foot.
I've looked for OS-level (not dot net level) solutions like telling XP should trust all network drives. Could not find anything actually working.
Why are GA shared folders untrusted, really ?
Do GA shared folders currently appear untrusted because the VirtualBox driver tells the guest they are, or does something different happen ?
Fundamentally:
* GA Shared folders (not the implementation: the principle) are not real network shares with all network security problems.
* I believe GA shared folders to be fundamentally much more secure than a regular network folder. Think about it: it's VirtualBox infrastructure (like CPU, storage), it's setup by the virtual machine administrator, is there anything the VM can trust more than that ?
* Of course the user can change content. But the VM virtual disks are regular files with tools to fiddle with them. The guest OS trusts them.
Really, design wise there's no reason for GA shared folders to be untrusted.
A better design ?
All in all, what if there was an option attached to each shared folder that would say "claim to the guest that this folder is trusted" ?
If it's ticked, then the files there will be "as trusted as a local device". Else the files would be "as trusted as a network share".
The very reason shared folder exists are to provide a sane, simple way to exchange information. It's clean design allows to work with several guest OSes. Is there a good reason why we can't express within this design that the VM should trust the files that it finds there ? The answer lies in the possibility in each guest OS to make the driver say so to the OS. Is that possible ? I'm aware that it's not a block device but a file-level driver which makes things different and dependent on OS logic.
Questions
To summarize there are two questions (besides the implicit "am I thinking right ?"):
* Is there a pure Windows XP way to say "I trust this network drive" or even "I trust all network drives" ? (It's a development machine in a controlled environment.)
* Does the idea of shared folders having a "trusted" flags make sense design-wise ? Implementation wise ?
Thank you for reading this far and thanks a lot for any hint.
Summary
- Specific context
- Why a GA shared folder instead of a network share ? Simple, secure.
- Specific fix, not satisfying
- Design consideration and why shared folder should be trustable by the guest.
Netiquette
Before posting I've read "Rules and FAQ", "The Forum Posting Guide", "Manual 4.3. Shared folders", "Minimum information needed for assistance", "VirtualBox Limits", "The QuickClick FAQ (shortcuts)".
System information
* Using VirtualBox 4.3.10-dfsg-1 from regular Ubuntu 14.04 packages.
* Guest additions installed, v 4.2.16 then 4.3.10.
* Guest log file attached.
Context
I'm developing a dot NET 4 (C#, WinForms) application using VS2010 on XP in a VirtualBox Virtual Machine, Ubuntu 14.04 host.
Developing inside the regular filesystem of the virtual machine works fine.
Motivation
It's interesting to actually have all variable files (project source tree, etc) on a VirtualBox GA (Guest Additions) shared folder.
Advantages:
* safely keep a few snapshots of tools installation in VM, no need to keep more VM state. No more snapshots growing and filling the host because of big generated build trees. You can even tell VirtualBox to revert to latest snapshot on power off. You'll still have all the tools you need and resume work on your projects on shared folder.
* project source tree is available when VM is off.
* source tree is safe even if VM crashes or gets broken -- this happened this week. (Yes I'm using git correctly.)
* plus some more convenience allowed by having symlinks in host side of shared folder nicely present a consistent view to the VM from various places on host.
Why a GA shared folder instead of a network share ? Simple, secure.
* Very easy to set up on the guest, follow the manual.
* Easier to setup on the host than network drives, especially a Linux host. I've no need for Samba on my machine. GA Shared folder just work.
* Using a regular network share would turn this into a pure Windows issue of trusting a network share ... which I've tried without satisfaction. Solutions for that problem should also work on a GA shared folder, shouldn't they ? See below.
Security gets in the way
Technically, the GA shared folder works flawlessly. I had none of the problems that some people reported on VS2008, on Mac hosts, etc (save failure, files disappearing). Everything works here.
Only, Windows XP considers that the GA shared folder is less trusted than virtual filesystem.
This prevents some parts of the compilation with security errors, and the program from actually running, with security errors again, not technical failures.
Had the shared folder been an actual network drive, that would be logical default security policy.
In this particular case, the shared folder being my host, it's rather more trusted than the virtual filesystem (performance, security, robustness).
Attempts at fixing
Local fix do work, for example adding a C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin\NETFX 4.0 Tools\sgen.exe.config with content:
Code: Select all
<configuration>
<runtime>
<loadFromRemoteSources enabled="true" />
</runtime>
</configuration>But more problems happen because the folder itself is untrusted.
The program runs, can be debugged, but gets exceptions related to security.
I've tried dot net level fixes, like caspol. Some progress but that's a can of worm. "I've given all I can It's not enough." Official resources are about deployment, not developing on a network drive. And these are off-topic in this case. The target software being maintained is already deployed to local drives and that works, no security concerns. This is really off-topic.
Anyway, fixing each step because the folder is untrusted looks like it's not a good design.
The only problem is: shared folders are claimed to be untrusted, which seems an unnecessary thorn in the foot.
I've looked for OS-level (not dot net level) solutions like telling XP should trust all network drives. Could not find anything actually working.
Why are GA shared folders untrusted, really ?
Do GA shared folders currently appear untrusted because the VirtualBox driver tells the guest they are, or does something different happen ?
Fundamentally:
* GA Shared folders (not the implementation: the principle) are not real network shares with all network security problems.
* I believe GA shared folders to be fundamentally much more secure than a regular network folder. Think about it: it's VirtualBox infrastructure (like CPU, storage), it's setup by the virtual machine administrator, is there anything the VM can trust more than that ?
* Of course the user can change content. But the VM virtual disks are regular files with tools to fiddle with them. The guest OS trusts them.
Really, design wise there's no reason for GA shared folders to be untrusted.
A better design ?
All in all, what if there was an option attached to each shared folder that would say "claim to the guest that this folder is trusted" ?
If it's ticked, then the files there will be "as trusted as a local device". Else the files would be "as trusted as a network share".
The very reason shared folder exists are to provide a sane, simple way to exchange information. It's clean design allows to work with several guest OSes. Is there a good reason why we can't express within this design that the VM should trust the files that it finds there ? The answer lies in the possibility in each guest OS to make the driver say so to the OS. Is that possible ? I'm aware that it's not a block device but a file-level driver which makes things different and dependent on OS logic.
Questions
To summarize there are two questions (besides the implicit "am I thinking right ?"):
* Is there a pure Windows XP way to say "I trust this network drive" or even "I trust all network drives" ? (It's a development machine in a controlled environment.)
* Does the idea of shared folders having a "trusted" flags make sense design-wise ? Implementation wise ?
Thank you for reading this far and thanks a lot for any hint.