Virtualbox 4 changes permission on /usr!

English Applications
1

Hi all, i have virtualbox installed from the oracle virtualbox repositorie
and had trouble with running virtual machines.
It was a permission error: VERR_SUPLIB_OWNER_NOT_ROOT

Turns out after some searching that the permission had changed on /usr to
owner:chris and group:vboxusers.
Directories inside /usr still belonged to the user root and the group root.

I don’t know how much of a security issue this is, but i wanted it to let
you all know just in case it is.
I changed /usr again to root:root and all is well again.


Chris Maaskant

2

On 02/26/2011 11:48 AM, Chris Maaskant wrote:

> permission had changed on /usr to
> owner:chris and group:vboxusers.

those permissions did not change themselves…

that is, they had to be changed by root–so, who has had access to
your machine…other than you?

ok, so maybe it was changed during the install of VirtualBox–so, i
ask: Why did you “install[ed] from the oracle virtualbox repositorie”
instead of installing it from the openSUSE repo?

i have not heard of one single user who has installed VitualBox from
the openSUSE repo (using YaST or zypper) who has reported this
trouble…(but, maybe i missed one–you can google and check)

there are very good reasons why you should always install from an
openSUSE repo (if that is possible, as it was in this case)

one reason is the applications in the openSUSE repo can be TRUSTED to
not subvert your system…they have been tested…and, they are KNOWN
to work correctly with the openSUSE version they were packaged for…

> I don’t know how much of a security issue this is,

pretty big i’d say…however, the problem is not in the software, but
rather in the insecure procedure followed by the administrator…


DenverD
CAVEAT: http://is.gd/bpoMD
[NNTP posted w/openSUSE 11.3, KDE4.5.5, Thunderbird3.0.11, nVidia
173.14.28 3D, Athlon 64 3000+]
“It is far easier to read, understand and follow the instructions than
to undo the problems caused by not.” DD 23 Jan 11

3

DenverD wrote:

> On 02/26/2011 11:48 AM, Chris Maaskant wrote:
>
>> permission had changed on /usr to
>> owner:chris and group:vboxusers.
>
> those permissions did not change themselves…
>
> that is, they had to be changed by root–so, who has had access to
> your machine…other than you?
>
> ok, so maybe it was changed during the install of VirtualBox–so, i
> ask: Why did you “install[ed] from the oracle virtualbox repositorie”
> instead of installing it from the openSUSE repo?

Yes i gues it happend during the instalation of virtualbox.
The reason i use the oracle repositorie is that i need usb support.
The OSE version doesn’t provide that.

> i have not heard of one single user who has installed VitualBox from
> the openSUSE repo (using YaST or zypper) who has reported this
> trouble…(but, maybe i missed one–you can google and check)

Neither do i, that’s why i posted.

> one reason is the applications in the openSUSE repo can be TRUSTED to
> not subvert your system…they have been tested…and, they are KNOWN
> to work correctly with the openSUSE version they were packaged for…

Well they have a repositorie made for opensuse 11.3.
But your right, it always a risk installing from a unofficial repositorie.
Allthough i never had problems with their software before.
Sh!t happens i gues…

>> I don’t know how much of a security issue this is,
>
> pretty big i’d say…however, the problem is not in the software, but
> rather in the insecure procedure followed by the administrator…

Nah, i checked it out didn’t i?
Please don’t fire me :wink:


Chris Maaskant

4

Are you sure it was VirtualBox that made this modification? I also have VB4 from the Oracle repo, but haven’t seen this on my system.

5

I use VBox from the Oracle site but use the generic version not the RPM and have not seen this.

6

chief sealth wrote:

>
> Are you sure it was VirtualBox that made this modification? I also have
> VB4 from the Oracle repo, but haven’t seen this on my system.
>
I’ve been looking into what has changed in the past few days on my system.
Turns out that a debian package converted with alien changed the permission
on /usr.
This package has nothing to do with virtualbox, but i was fooled because it
changed the group on /usr to vboxusers for some realy weird reason.

It’s not a habbit of me to install .deb packages on opensuse.
But the next time i do, i’ll be looking to what the package does before
installing it.

Sorry for the confusion everybody.


Chris Maaskant

7

DenverD wrote:

> On 02/26/2011 11:48 AM, Chris Maaskant wrote:
>
>> permission had changed on /usr to
>> owner:chris and group:vboxusers.
>
> those permissions did not change themselves…
>
> that is, they had to be changed by root–so, who has had access to
> your machine…other than you?
>
> ok, so maybe it was changed during the install of VirtualBox–so, i
> ask: Why did you “install[ed] from the oracle virtualbox repositorie”
> instead of installing it from the openSUSE repo?
>
> i have not heard of one single user who has installed VitualBox from
> the openSUSE repo (using YaST or zypper) who has reported this
> trouble…(but, maybe i missed one–you can google and check)
>
> there are very good reasons why you should always install from an
> openSUSE repo (if that is possible, as it was in this case)
>
> one reason is the applications in the openSUSE repo can be TRUSTED to
> not subvert your system…they have been tested…and, they are KNOWN
> to work correctly with the openSUSE version they were packaged for…
>
>> I don’t know how much of a security issue this is,
>
> pretty big i’d say…however, the problem is not in the software, but
> rather in the insecure procedure followed by the administrator…
>
I just installed 4.0.4 from the Oracle Repo, used the version for all
distro’s, since 11.4 version is not there yet. Installed fine. My
Question does the ose version in the SuSE repo now support usb. I tried
it on Wed. and it would not see my usb2 devices. Did I miss an rpm or
something. I would much rather install from the repo.

is there a how to that lists the rpms to install for openSUSE 11.4 RC2,
64 bit?

Russ
openSUSE 11.3 (2.6.34.7-0.7-default)|KDE 4.6.0 Release 377|
Intel core2duo 2.5 MHZ,|8GB DDR3|GeForce 8400GS
Nvidia 260.19.29|

8

That is weird. After thinking again, I deleted my post on the Web forum as it just didn’t make sense that something else would use that group. What was the offending package?

9

chief sealth wrote:

> That is weird. After thinking again, I deleted my post on the Web forum
> as it just didn’t make sense that something else would use that group.
> What was the offending package?
>
spotlite-amd64.deb
I found this on a newsserver.
It’s a dutch program to make it easyer to find stuff on newsservers.
But there was only a ubuntu package available for linux.

http://www.megaupload.com/?d=KS6CMTTW

Chris Maaskant

10

Upscope

As far as I know the USB package should install after you install from the repo. Since this is a commercial package licensed for individual use only I guess they would not want it in the repo since they really want paid for it if used in a commercial setting. What ever keeps the PHB happy.