I am looking for a way to as the title says, restrict permission to use Virtualbox from some users account. I saw in > control center > users and group > advanced settings, that it is possible to allow or not users, but it seems like it is not effective. When i login those users account, still i can create a VM in Virtualbox.
I know that i can manage from the virtualbox group, but this is almost the same manner, at least the same result.
Maybe have to reboot ?
I won’t use chroot now, this not a big-dill, i just want to prevent bad things for the youth are going to use this computer.
A GUI for now will be nice !
Sorry for my english …
The steps aren’t difficult, but it means you will be using the following commands: chown, chmod, adduser and addgroup.
In order to disable access to an application on a user basis, you need to wrap that application in a usergroup. Those users that belong to the group can launch the application. Those that don’t belong to the group can’t. Some applications (particularly server applications and security-based applications) are already setup with a usergroup. Normal applications are not. So you need to create one and setup the needed permissions.
Why doesn’t vboxusers work?
That group is not meant to control user access to the VirtualBox, but instead define the group of users that are allowed to use certain features of VirtualBox, like plugin in external devices.
So with that out of the way, let us start…
Create a new usergroup. We are going to call it execvbox
$ sudo addgroup execvbox
This command creates the new group that will be used to control execute access to the VirtualBox application. Nothing too complicated here. Let’s move on.
Change VirtualBox group owner to the new group we just created.
Let’s take a look at where the virtualbox executable is installed in your system:
$ type -P virtualbox /usr/bin/virtualbox
Now let’s take a closer look at it with the
ls command with the
-l option to see its details:
$ ls -l /usr/bin/virtualbox lrwxrwxrwx 1 root root 4 Jul 18 13:33 /usr/bin/virtualbox -> VBox
Oops! we don’t want this file. It’s a symbolic link to the real executable called
VBox. We could change it, but our users could bypass us by going to the VBox executable directly. No way. We need to change the real executable. the output of the
ls command is telling us it is in the same folder, but under the name
VBox. So let’s check it out:
$ ls -l /usr/bin/VBox -rwxr-xr-x 1 root root 3446 Jul 18 13:33 /usr/bin/VBox
So, now we need to change this file and we want to change its group. Right now the file is owned by
root root, meaning it is owned by the user
root and the group
root. We will be changing that to
$ sudo chown :execvbox /usr/bin/VBox
Let’s see our changes:
$ ls -l /usr/bin/VBox -rwxr-xr-x 1 root execvbox 3446 Jul 18 13:33 /usr/bin/VBox
Nice! The file is now owned by the user root and the group execvbox. And this is why adding users to the group
vboxusers wasn’t doing a thing for you. That group doesn’t own the file, the group
root did. That group is instead used by VBox for other purposes.
But we have a problem. If you look at the permissions,
-rwxr-xr-x means that everyone can still execute this file. The owner has
rwx (all) permissions, which is ok because he’s root. The group has
r-x (read,execute) permissions, which is also ok because this is the group we want to be able to execute the file. But the last part of the permissions set that controls permissions to everyone else also has
r-x (read,execute) permissions. We need to change that.
Remove execute permissions to everyone else.
$ sudo chmod o-x /usr/bin/VBox
Let’s see what we just did:
$ ls -l /usr/bin/VBox -rwxr-xr-- 1 root execvbox 3446 Jul 18 13:33 /usr/bin/VBox
Now, only the owner of the file, or members of the group execvbox can execute it. Right now, in fact, you should try to execute it and you will see that you can’t from either the MATE panel menu, or from the command line. So, what you need to do to regain access to VirtualBox is to add yourself to the
Add users to the execvbox group.
$ sudo adduser marfig execvbox
This is adding the user
marfig to the group. This will give marfig permission to execute the file. He’s not the owner of the file, root is. But marfig now belongs to the group
execvbox and that group of users can execute the file. Meanwhile, except for root and users of that group, no one else can.
And that’s it. You will need to log out and log back in in order for this last command to set in. Your VBox application is now protected against execution on a user basis.
If you think you are going to do this often with other applications, stick to a group naming schema that fits you, but that also remains consistent among other applications. For instance, you will notice that I named the group
execvbox. If I then want to do the same to the smplayer, I will create another group called
execsmplayer. This way your groups remain manageable (and sortable) and you don’t have to remember what’s the difference between execvbox and smplayerrun.
Marfig, thank you so much for your time ! I mean it’s not gonna change our world, but the time we spend to help each others even if it’s “just” computing this is a nice and essential human behavior … (we all know for a guy called R. Stallman computing rights means also citizen rights to defend)
I am on my way to try it and let you know !
Give me :
lrwxrwxrwx 1 root root 27 juil. 12 09:13 /usr/bin/virtualbox -> …/share/virtualbox/VBox.sh
ls: impossible d’accéder à ‘/usr/bin/VBox’: Aucun fichier ou dossier de ce type
you can translate by , no such file exist
Then chown cannot do the job because cannot find the path.
Does it means that my virtualbox executable is somewhere else ?
HOW I INSTALLED VIRTUAL BOX
By using Synaptic package manager. 5.0.24 Version
Well, let’s look at your symlink again:
lrwxrwxrwx 1 root root 27 juil. 12 09:13 /usr/bin/virtualbox -> ../share/virtualbox/VBox.sh
Contrary to my installation (done through the Software Boutique), yours points to:
So naturally you won’t be changing the permissions on
/usr/bin/VBox because it doesn’t exist in your machine. You will be changing instead the permissions on the file
But you have to notice the two-dot characters that start the path to
VBox.sh. This means, from the present location go up one directory and then go down to the share/virtualbox/VBox.sg file.
So the present directory of that symlink is
/usr/bin. You know this because the above ls command is being done on
/usr/bin/virtualbox. virtualbox is the file you were looking and that revealed itself to be a symlink. And that symlink is located at
/usr/bin and points to the path after the arrow.
/usr/bin we go up one directory to
/usr. And now we go down to
virtualbox and finally to the file
VBox.sh. That is, the file you need to change is located at
So, the command you want is:
ls -l /usr/share/virtualbox/VBox.sh
And that is the file filepath that is going to receive the chown and chmod commands.
Others users cannot access or even log in Virtualbox but the user tristan is allow to, it is the only account where this app is avaible, so it seems to be All Done !!
Thank you very much for those precious teatchings marfig !!!