virtualbox grabs all usb devices via udev -> fixed as of 2010.11.29

[jba]

I used virtualbox 2.2 before and now 3.2 (on debian lenny). Both have the same problem: the udev script 10-vboxdrv.rules grabs usb devices and puts them to the grup vboxusres:

KERNEL=="vboxdrv", NAME="vboxdrv", OWNER="root", GROUP="root", MODE="0600" SUBSYSTEM=="usb_device", GROUP="vboxusers", MODE="0664" SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", GROUP="vboxusers", MODE="0664"

While the first line seems reasonable to me, the second and third do not. As I understand them, they grab all usb-devices and make them accessible by the group vboxusres. This may not be desireable.

On the other hand, usb devices that are used by other software and have their own udev script, might not get the device. I own an chipcard reader which is managed by a daemon, which has its own group. However, with virtualbox, the device is asigned to the group vboxusers and the chipcard daemon can no longer access it (as it is not in the vboxusers group). So, virtualbox makes the chipcard reader unusable unless the faulty udev script is changed.

I dont understand the necassity of 10-vboxdrv.rules. Linux has means to allow and protect access of devices for all users. If the system doesnt allow a user acces to a special device, why should he be allowed to use it, when he uses virtualbox?

Juergen

[Klaus Espenlaub]

You're misunderstanding the meaning of the vboxusers group. It is a group which provides extra permissions which are useful to have in the VirtualBox context. In particular if one wants to pass USB devices to a VM this requires access to the raw USB device. It's simply not practical to require per-device rules, as it is completely unpredicable what the user connects next and wants to use from a VM.

The user doesn't have to be in group vboxusers to run VirtualBox, at least not in the packages provided on virtualbox.org.

[jba]

You're misunderstanding the meaning of the vboxusers group. ... The user doesn't have to be in group vboxusers to run VirtualBox,

Ok, this may be my misinterpretation.

However, the second point is still valid: virtualbox gabs devices. that would have been owned by other groups if there were no virtualbox. This changes the permission of the devices and they may become unusable.

Juergen

[Klaus Espenlaub]

There's work in progress to resolve this permission change... will probably land with 4.0.0.

[Michael Thayer]

The change has been in our development repository since yesterday. The udev rules have been changed to create a second tree of USB devices (/dev/vboxusb/xxx/yyy) accessible to the group vboxusers, and the /dev/bus/usb/xxx/yyy devices are no longer touched. Members of the group vboxusers will still be able to access all non-hub USB devices on the system. Allowing this access is currently the only purpose of the group, so a user can be denied access without otherwise affecting VirtualBox by simply not making them a member of the group. In this case of course they will not be able to access USB devices in VMs (short of e.g. setting up custom permissions for specific devices).

[Michael Thayer]

Note that this fix will not be backported to the 3.2 series.

[Frank Mehnert]

Should be fixed in 4.0.