Your message dated Sat, 21 Mar 2026 22:03:18 +0100
with message-id <[email protected]>
and subject line Re: Access to Virtualbox should be limited to a group of users
has caused the Debian Bug report #760574,
regarding Access to Virtualbox should be limited to a group of users
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
760574: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760574
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: virtualbox
Version: 4.3.14-dfsg-1
Tags: security
Virtualbox has a lot of code. Virtualbox has five setuid root binaries and four
kernel modules. Virtualbox has a large attack surface. And yet any user can run
Virtualbox. Not just real users, but also accounts used for running web
applications and other potentially untrusted code. All of them may try to
exploit Virtualbox to elevate their privileges or at least break system's
networking (see bug #760569).
There is already a vboxusers group, but it only controls access to USB devices.
There should be a different group such that users outside that group can't run
Virtualbox at all. They just shouldn't have a permission to execute Virtualbox
binaries (at least those that are setuid root). They also shouldn't be able to
access Virtualbox device nodes in any way. This way, even if Virtualbox has a
privilege elevation flaw, most users wouldn't be able to make any use of it.
--- End Message ---
--- Begin Message ---
(cleaning up ancient bugs.)
if this is still a issue, this should probably be brought upstream.
--- End Message ---
