VirtualBox

Opened 5 years ago

Last modified 5 years ago

#19647 new defect

Fedora: Removing suid root bit from VBoxDRMClient

Reported by: Frank Batschulat (Oracle) Owned by:
Component: guest additions/x11/graphics Version: VirtualBox 6.1.10
Keywords: fedora VBoxDRMClient suid Cc:
Guest type: Linux Host type: all

Description

From: "Hans de Goede" <> To: vbox-dev@… Subject: [vbox-dev] Removing suid root bit from VBoxDRMClient Date: Mon, 08 Jun 2020 17:46:58 +0200

While looking into upgrading the Fedora virtualbox-guest-additions packages to 6.0.10 I noticed that the "VBoxClient --vmsvga-x11" call in VBoxClient-all has been replaced with "VBoxClient --vmsvga" and that that one will either behave as the old --vmsvga-x11 version (when running under a X11 session) or it will start /usr/bin/VBoxDRMClient.

I added /usr/bin/VBoxDRMClient to the Fedora packages, but after that resizing of a GNOME3 as Wayland-compositor session inside the guest still did not work.

The issue seems to be that /usr/bin/VBoxDRMClient needs more rights, I guess that the upstream version of the guest-additions installs it suid root ?

That is not necessary and since Fedora ships virtualbox-guest-additions as part of the default workstation install we would like to avoid adding another suid root binary to the default install.

Instead I've written a udev rule + systemd service to replace the "VBoxClient --vmsvga" call inside VBoxClient-all. These config files will start /usr/bin/VBoxDRMClient when running inside a VBox VM with VMSVGA graphics. Note this will now run independent of the type of session (X11 or Wayland) running inside the VM. This means that X11 sessions now also use VBoxDRMClient rather then VBoxClient --vmsvga-x11 for resizing.

This works fine and if upstream adopts this, then the VBoxClient --vmsvga-x11 can be dropped.

The udev rule and systemd file can be found here. Feel free to use these under the MIT license:

https://src.fedoraproject.org/rpms/virtualbox-guest-additions/blob/master/f/VirtualBox-60-vboxguest.rules
https://src.fedoraproject.org/rpms/virtualbox-guest-additions/blob/master/f/vboxclient.service

Change History (1)

comment:1 by Frank Batschulat (Oracle), 5 years ago

Virtualbox GAs as of 6.1.10 do indeed install it suid root, below from our GAs on a Fedora32 guest: 

$ ls -la
/opt/VBoxGuestAdditions-6.1.10/bin/VBoxDRMClient
-rwsr-xr-x. 1 root root 1440808 Jun  4 18:43
/opt/VBoxGuestAdditions-6.1.10/bin/VBoxDRMClient

trunk/src/VBox/Additions/linux/installer/install.sh.in 

618 # setuid bit of our drm client as drm ioctl calls                                                                                  
619 # need to be done by elevated privileges                                                                                           
620 chmod 4755 "$INSTALLATION_DIR"/bin/VBoxDRMClient
Note: See TracTickets for help on using tickets.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette