On Friday 05 September 2014 06:35 PM, Evgeny Kapun wrote:
Virtualbox lets any local user create and configure network interfaces (vboxnet*), and also send and receive traffic through them. It also lets users bridge their VMs to other network interfaces. Normally, such operations are reserved for users with CAP_NET_ADMIN capability for a good reason. Such actions can be used to disrupt other users' communications, capture their network traffic and even perform MITM attacks against them.
THanks for this bug report. After your bug report, I went and checked the number of setuid binaries and there are many.
We should contain these to a single user/group (like in libvirt does). That should be a good start.
-- Ritesh Raj Sarraf RESEARCHUT - http://www.researchut.com "Necessity is the mother of invention."