VirtualBox/setuid binaries
Bastien Nocera
hadess at hadess.net
Thu Nov 15 12:42:11 UTC 2018
On Thu, 2018-11-15 at 11:26 +0100, Michael Thayer wrote:
> Hello,
>
> I have been following Flatpak for some time, given that we
> (VirtualBox)
> maintain about twenty different builds for different Linux
> distributions. Obviously Flatpak could potentially solve quite a big
> problem for us, but there is a big catch: the main binaries in
> VirtualBox run setuid root, and that is not something which is going
> to
> change in the near future. So the question: could you conceive
> adding
> an option to allow setuid root in a Flatpak?
Off the cuff, I'd say no. We've had things like PolicyKit and D-Bus for
more than a decade to avoid having suid applications running in user
sessions, and I don't even think it's technically possible to have suid
root inside a sandbox without stripping that suid bit, but read on
below.
> Clearly this is the same
> as saying that for that Flatpak there is no security sandboxing, so
> the
> user should be sure that they trust it. Which with VirtualBox there
> is
> simply no way round, since we include kernel code.
?
Why does VirtualBox need "kernel code"? You mean you ship drivers in
the same package that are compiled at boot time?
Is that the same drivers that my colleague Hans (CC:ed) has been
upstreaming? If so, you should get rid of the drivers in the package,
and detect if the kernel you're running on offers the functionality
that's necessary, and fallback as nicely as you can if not.
Is there any other reasons for you to have suid root application or
helpers?
> I have also considered the possibility of providing a forked copy of
> Flatpak in our RPMs and Debs which would re-use your runtimes, but
> although that would probably let us reduce the number we build
> significantly it would be horrible. And I know that if you did add
> this
> option you would be getting certain people shouting that "Flatpak is
> not
> secure because setuid binaries are setuid", or something on those
> lines.
> And I also realise that there are probably not that many other
> desktop
> applications which need setuid; but I expect that there are still a
> few
> more.
>
> Anyway, interested to hear what you have to say.
More information about the Flatpak
mailing list