Hello Rivalino, Rivalino Matias Jr wrote: >> But surely any damage a user can do by running network >> services inside of a guest they can also do by running them directly >> on the host. > > Not necessarily. In my deployment, users from host system are not > administrators - they are ordinary non-privileged users. For example, they > cannot install and run a server software (ex. dhcpd). But, in the guest os > they will be root. Hence, they can install everything. They can do whatever > they want (ex. generate malicious traffic, install and run server like dns, > dhcpd, ... among others). If you indeed de-installed the VirtualBox networking component, then the networking parts of VirtualBox are running with the same rights as any other process the user might start (Mikhail, please correct me here if I am saying anything wrong for Windows hosts). Your users have root rights inside the virtual machine, but on the host they do not get any special rights as far as networking is concerned (in fact generally, VirtualBox is designed to run with as few extra privileges as possible). This can be compared to the way root rights on one machine in a network doesn't give you special privileges on other machines.
In particular, unless you set up port forwarding, any server which they set up on a virtual machine will not even be accessible from the host (try it!), and if they do set up port forwarding, they will still not be able to give the server any access from outside which they couldn't have done if they were running the server straight on the host under their own user account. In particular, all host firewall rules still apply. Hope this clarifies things slightly. Regards, Michael -- Sun Microsystems GmbH Michael Thayer Werkstrasse 24 VirtualBox engineer 71384 Weinstadt, Germany mailto:[email protected] Sitz der Gesellschaft: Sun Microsystems GmbH, Sonnenallee 1, 85551 Kirchheim-Heimstetten Amtsgericht Muenchen: HRB 161028 Geschaeftsfuehrer: Thomas Schroeder, Wolfgang Engels, Wolf Frenkel Vorsitzender des Aufsichtsrates: Martin Haering _______________________________________________ vbox-users mailing list [email protected] http://vbox.innotek.de/mailman/listinfo/vbox-users
