Restrict permission for some users in Virtualbox

Tristan_VILLERS · 14 August 2016 21:49

Hi,
I am looking for a way to as the title says, restrict permission to use Virtualbox from some users account. I saw in > control center > users and group > advanced settings, that it is possible to allow or not users, but it seems like it is not effective. When i login those users account, still i can create a VM in Virtualbox.
I know that i can manage from the virtualbox group, but this is almost the same manner, at least the same result.
Maybe have to reboot ?
I won’t use chroot now, this not a big-dill, i just want to prevent bad things for the youth are going to use this computer.
A GUI for now will be nice !
Thanks
Sorry for my english …

marfig · 15 August 2016 00:59

The steps aren’t difficult, but it means you will be using the following commands: chown, chmod, adduser and addgroup.

Summary

In order to disable access to an application on a user basis, you need to wrap that application in a usergroup. Those users that belong to the group can launch the application. Those that don’t belong to the group can’t. Some applications (particularly server applications and security-based applications) are already setup with a usergroup. Normal applications are not. So you need to create one and setup the needed permissions.

Why doesn’t vboxusers work?

That group is not meant to control user access to the VirtualBox, but instead define the group of users that are allowed to use certain features of VirtualBox, like plugin in external devices.

So with that out of the way, let us start…

Step 1

Create a new usergroup. We are going to call it execvbox

$ sudo addgroup execvbox

This command creates the new group that will be used to control execute access to the VirtualBox application. Nothing too complicated here. Let’s move on.

Step 2

Change VirtualBox group owner to the new group we just created.

Let’s take a look at where the virtualbox executable is installed in your system:

$ type -P virtualbox
/usr/bin/virtualbox

Now let’s take a closer look at it with the ls command with the -l option to see its details:

$ ls -l /usr/bin/virtualbox 
lrwxrwxrwx 1 root root 4 Jul 18 13:33 /usr/bin/virtualbox -> VBox

Oops! we don’t want this file. It’s a symbolic link to the real executable called VBox. We could change it, but our users could bypass us by going to the VBox executable directly. No way. We need to change the real executable. the output of the ls command is telling us it is in the same folder, but under the name VBox. So let’s check it out:

$ ls -l /usr/bin/VBox
-rwxr-xr-x 1 root root 3446 Jul 18 13:33 /usr/bin/VBox

So, now we need to change this file and we want to change its group. Right now the file is owned by root root, meaning it is owned by the user root and the group root. We will be changing that to root execvbox

$ sudo chown :execvbox /usr/bin/VBox

Let’s see our changes:

$ ls -l /usr/bin/VBox
-rwxr-xr-x 1 root execvbox 3446 Jul 18 13:33 /usr/bin/VBox

Nice! The file is now owned by the user root and the group execvbox. And this is why adding users to the group vboxusers wasn’t doing a thing for you. That group doesn’t own the file, the group root did. That group is instead used by VBox for other purposes.

But we have a problem. If you look at the permissions, -rwxr-xr-x means that everyone can still execute this file. The owner has rwx (all) permissions, which is ok because he’s root. The group has r-x (read,execute) permissions, which is also ok because this is the group we want to be able to execute the file. But the last part of the permissions set that controls permissions to everyone else also has r-x (read,execute) permissions. We need to change that.

Step 3

Remove execute permissions to everyone else.

$ sudo chmod o-x /usr/bin/VBox

Let’s see what we just did:

$ ls -l /usr/bin/VBox
-rwxr-xr-- 1 root execvbox 3446 Jul 18 13:33 /usr/bin/VBox

Now, only the owner of the file, or members of the group execvbox can execute it. Right now, in fact, you should try to execute it and you will see that you can’t from either the MATE panel menu, or from the command line. So, what you need to do to regain access to VirtualBox is to add yourself to the execvbox group.

Step 4

Add users to the execvbox group.

$ sudo adduser marfig execvbox

This is adding the user marfig to the group. This will give marfig permission to execute the file. He’s not the owner of the file, root is. But marfig now belongs to the group execvbox and that group of users can execute the file. Meanwhile, except for root and users of that group, no one else can.

All done

And that’s it. You will need to log out and log back in in order for this last command to set in. Your VBox application is now protected against execution on a user basis.

Pro-Tip

If you think you are going to do this often with other applications, stick to a group naming schema that fits you, but that also remains consistent among other applications. For instance, you will notice that I named the group execvbox. If I then want to do the same to the smplayer, I will create another group called execsmplayer. This way your groups remain manageable (and sortable) and you don’t have to remember what’s the difference between execvbox and smplayerrun.

Tristan_VILLERS · 15 August 2016 13:02

Marfig, thank you so much for your time ! I mean it’s not gonna change our world, but the time we spend to help each others even if it’s “just” computing this is a nice and essential human behavior … (we all know for a guy called R. Stallman computing rights means also citizen rights to defend)
I am on my way to try it and let you know !

Tristan_VILLERS · 15 August 2016 13:13

Give me :
lrwxrwxrwx 1 root root 27 juil. 12 09:13 /usr/bin/virtualbox -> …/share/virtualbox/VBox.sh

Give me
ls: impossible d’accéder à ‘/usr/bin/VBox’: Aucun fichier ou dossier de ce type
you can translate by , no such file exist
Then chown cannot do the job because cannot find the path.
Does it means that my virtualbox executable is somewhere else ?
HOW I INSTALLED VIRTUAL BOX
By using Synaptic package manager. 5.0.24 Version
thanks !

marfig · 15 August 2016 16:54

Well, let’s look at your symlink again:

lrwxrwxrwx 1 root root 27 juil. 12 09:13 /usr/bin/virtualbox -> ../share/virtualbox/VBox.sh

Contrary to my installation (done through the Software Boutique), yours points to:

../share/virtualbox/VBox.sh

So naturally you won’t be changing the permissions on /usr/bin/VBox because it doesn’t exist in your machine. You will be changing instead the permissions on the file ../share/virtualbox/VBox.sh.

But you have to notice the two-dot characters that start the path to VBox.sh. This means, from the present location go up one directory and then go down to the share/virtualbox/VBox.sg file.

So the present directory of that symlink is /usr/bin. You know this because the above ls command is being done on /usr/bin/virtualbox. virtualbox is the file you were looking and that revealed itself to be a symlink. And that symlink is located at /usr/bin and points to the path after the arrow.

So, from /usr/bin we go up one directory to /usr. And now we go down to share, then virtualbox and finally to the file VBox.sh. That is, the file you need to change is located at /usr/share/virtualbox/VBox.sh

So, the command you want is:

ls -l /usr/share/virtualbox/VBox.sh

And that is the file filepath that is going to receive the chown and chmod commands.

Tristan_VILLERS · 16 August 2016 07:30

Greetings !

Others users cannot access or even log in Virtualbox but the user tristan is allow to, it is the only account where this app is avaible, so it seems to be All Done !!
Thank you very much for those precious teatchings marfig !!!