[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Prevent chown to remove the setuid bit

Hi,

On Thu, Nov 27, 2025 at 08:56:05PM +0100, Franco Martelli wrote:
> The number of files to restore after changing the group owner it is not so
> much:
> 
> ~$ ls -Rlh /usr/lib/virtualbox/ | grep 'r-s'
> -r-s--x--x 1 root root      139K 17 ott 13.40
> /usr/lib/virtualbox/VBoxHeadless
> -r-s--x--x 1 root root       31K 17 ott 13.40
> /usr/lib/virtualbox/VBoxNetAdpCtl
> -r-s--x--x 1 root root      139K 17 ott 13.40
> /usr/lib/virtualbox/VBoxNetDHCP
> -r-s--x--x 1 root root      139K 17 ott 13.40 /usr/lib/virtualbox/VBoxNetNAT
> -r-s--x--x 1 root root       15K 17 ott 13.40
> /usr/lib/virtualbox/VBoxVolInfo
> -r-s--x--x 1 root root      143K 17 ott 13.40
> /usr/lib/virtualbox/VirtualBoxVM
> 
> therefore I can restore their permissions manually, I asked because I was
> thinking that maybe there is an official way to accomplish this. Do you
> suggest to write a bash shell script?

Well hold up now. These things are setuid root and your hypothesis is
that changing them to also be setgid to the vboxusers group will make
something work?

It just doesn't seem very likely given that the setuid means all these
commands will be running as root anyway.

I'd really suggest getting advice from the supplier of Virtual Box
before spending significant time on this but I suppose trying the setgid
idea out won't cost that much time.

If the list as above is really only 6 files why do you even need a
script? Just do the recursive chgrp and then

# chmod -c u+s,g+s \
    /usr/lib/virtualbox/VBoxHeadless \
    /usr/lib/virtualbox/VBoxNetAdpCtl \
    /usr/lib/virtualbox/VBoxNetDHCP \
    /usr/lib/virtualbox/VBoxNetNAT \
    /usr/lib/virtualbox/VBoxVolInfo \
    /usr/lib/virtualbox/VirtualBoxVM

it's a one-liner isn't it?

Though just to re-iterate, I don't see how this will solve anything.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: