Package: virtualbox Version: 4.3.14-dfsg-1 Tags: security Virtualbox has a lot of code. Virtualbox has five setuid root binaries and four kernel modules. Virtualbox has a large attack surface. And yet any user can run Virtualbox. Not just real users, but also accounts used for running web applications and other potentially untrusted code. All of them may try to exploit Virtualbox to elevate their privileges or at least break system's networking (see bug #760569).
There is already a vboxusers group, but it only controls access to USB devices. There should be a different group such that users outside that group can't run Virtualbox at all. They just shouldn't have a permission to execute Virtualbox binaries (at least those that are setuid root). They also shouldn't be able to access Virtualbox device nodes in any way. This way, even if Virtualbox has a privilege elevation flaw, most users wouldn't be able to make any use of it. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
