Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#807542: /usr/lib/virtualbox/vboxwebsrv: started web service without user consent
27 views
Skip to first unread message
Ritesh Raj Sarraf
Dec 10, 2015, 4:00:03 AM12/10/15
to
Package: virtualbox
Version: 5.0.10-dfsg-4
Severity: important
File: /usr/lib/virtualbox/vboxwebsrv
Hello Gianfranco,
The following has happened without user consent. And especially when
there is no VBox service active.
These days, I'm also exploring KVM, and so have virtualbox not enabled/running
on my box.
rrs@learner:~$ sudo systemctl status vboxweb.service
[sudo] password for rrs:
● vboxweb.service - VirtualBox Web Service
Loaded: loaded (/lib/systemd/system/vboxweb.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2015-12-08 17:18:42 IST; 1 day 20h ago
Main PID: 1892 (vboxwebsrv)
Tasks: 18 (limit: 512)
CGroup: /system.slice/vboxweb.service
├─1892 /usr/lib/virtualbox/vboxwebsrv --pidfile /run/vboxweb.pid --background
├─1903 /usr/lib/virtualbox/VBoxXPCOMIPCD
└─1940 /usr/lib/virtualbox/VBoxSVC --auto-shutdown
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004182 main OS Product: Linux
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004185 main OS Release: 4.3.0+
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004186 main OS Version: #35 SMP PREEMPT Fri Nov 6 18:29:25 IST 2015
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004232 main DMI Product Name: 20344
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004251 main DMI Product Version: Lenovo Yoga 2 13
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004362 main Host RAM: 7908MB total, 7769MB available
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004369 main Executable: /usr/lib/virtualbox/vboxwebsrv
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004371 main Process ID: 1728
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004372 main Package type: LINUX_64BITS_GENERIC (OSE)
Dec 08 17:18:42 learner systemd[1]: Started VirtualBox Web Service.
2015-12-10 / 14:11:35 ♒♒♒ ☺
rrs@learner:~$ sudo systemctl status virtualbox
[sudo] password for rrs:
● virtualbox.service - LSB: VirtualBox Linux kernel module
Loaded: loaded (/etc/init.d/virtualbox; bad; vendor preset: enabled)
Active: inactive (dead)
Docs: man:systemd-sysv-generator(8)
2015-12-10 / 14:13:28 ♒♒♒ ☹ => 3
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0+ (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_IN.utf8, LC_CTYPE=en_IN.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages virtualbox depends on:
ii adduser 3.113+nmu3
ii init-system-helpers 1.24
ii libc6 2.19-22
ii libcurl3-gnutls 7.45.0-1+b1
ii libgcc1 1:5.2.1-23
ii libgsoap7 2.8.22-1+b1
ii libpng12-0 1.2.54-1
ii libpython2.7 2.7.10-5+b1
ii libsdl1.2debian 1.2.15-12
ii libssl1.0.2 1.0.2d-3
ii libstdc++6 5.2.1-23
ii libvncserver1 0.9.10+dfsg-3
ii libvpx2 1.4.0-4
ii libx11-6 2:1.6.3-1
ii libxcursor1 1:1.1.14-1+b1
ii libxext6 2:1.3.3-1
ii libxml2 2.9.2+zdfsg1-4
ii libxmu6 2:1.1.2-2
ii libxt6 1:1.1.5-1
ii python 2.7.9-1
ii python2.7 2.7.10-5+b1
pn python:any <none>
ii virtualbox-dkms [virtualbox-modules] 5.0.10-dfsg-4
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages virtualbox recommends:
ii libgl1-mesa-glx [libgl1] 11.0.6-1
ii libqt4-opengl 4:4.8.7+dfsg-5
ii libqtcore4 4:4.8.7+dfsg-5
ii libqtgui4 4:4.8.7+dfsg-5
ii virtualbox-qt 5.0.10-dfsg-4
Versions of packages virtualbox suggests:
pn vde2 <none>
ii virtualbox-guest-additions-iso 5.0.10-1
-- no debconf information
Version: 5.0.10-dfsg-4
Severity: important
File: /usr/lib/virtualbox/vboxwebsrv
Hello Gianfranco,
The following has happened without user consent. And especially when
there is no VBox service active.
These days, I'm also exploring KVM, and so have virtualbox not enabled/running
on my box.
rrs@learner:~$ sudo systemctl status vboxweb.service
[sudo] password for rrs:
● vboxweb.service - VirtualBox Web Service
Loaded: loaded (/lib/systemd/system/vboxweb.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2015-12-08 17:18:42 IST; 1 day 20h ago
Main PID: 1892 (vboxwebsrv)
Tasks: 18 (limit: 512)
CGroup: /system.slice/vboxweb.service
├─1892 /usr/lib/virtualbox/vboxwebsrv --pidfile /run/vboxweb.pid --background
├─1903 /usr/lib/virtualbox/VBoxXPCOMIPCD
└─1940 /usr/lib/virtualbox/VBoxSVC --auto-shutdown
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004182 main OS Product: Linux
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004185 main OS Release: 4.3.0+
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004186 main OS Version: #35 SMP PREEMPT Fri Nov 6 18:29:25 IST 2015
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004232 main DMI Product Name: 20344
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004251 main DMI Product Version: Lenovo Yoga 2 13
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004362 main Host RAM: 7908MB total, 7769MB available
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004369 main Executable: /usr/lib/virtualbox/vboxwebsrv
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004371 main Process ID: 1728
Dec 08 17:18:42 learner vboxwebsrv[1728]: 00:00:00.004372 main Package type: LINUX_64BITS_GENERIC (OSE)
Dec 08 17:18:42 learner systemd[1]: Started VirtualBox Web Service.
2015-12-10 / 14:11:35 ♒♒♒ ☺
rrs@learner:~$ sudo systemctl status virtualbox
[sudo] password for rrs:
● virtualbox.service - LSB: VirtualBox Linux kernel module
Loaded: loaded (/etc/init.d/virtualbox; bad; vendor preset: enabled)
Active: inactive (dead)
Docs: man:systemd-sysv-generator(8)
2015-12-10 / 14:13:28 ♒♒♒ ☹ => 3
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0+ (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_IN.utf8, LC_CTYPE=en_IN.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages virtualbox depends on:
ii adduser 3.113+nmu3
ii init-system-helpers 1.24
ii libc6 2.19-22
ii libcurl3-gnutls 7.45.0-1+b1
ii libgcc1 1:5.2.1-23
ii libgsoap7 2.8.22-1+b1
ii libpng12-0 1.2.54-1
ii libpython2.7 2.7.10-5+b1
ii libsdl1.2debian 1.2.15-12
ii libssl1.0.2 1.0.2d-3
ii libstdc++6 5.2.1-23
ii libvncserver1 0.9.10+dfsg-3
ii libvpx2 1.4.0-4
ii libx11-6 2:1.6.3-1
ii libxcursor1 1:1.1.14-1+b1
ii libxext6 2:1.3.3-1
ii libxml2 2.9.2+zdfsg1-4
ii libxmu6 2:1.1.2-2
ii libxt6 1:1.1.5-1
ii python 2.7.9-1
ii python2.7 2.7.10-5+b1
pn python:any <none>
ii virtualbox-dkms [virtualbox-modules] 5.0.10-dfsg-4
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages virtualbox recommends:
ii libgl1-mesa-glx [libgl1] 11.0.6-1
ii libqt4-opengl 4:4.8.7+dfsg-5
ii libqtcore4 4:4.8.7+dfsg-5
ii libqtgui4 4:4.8.7+dfsg-5
ii virtualbox-qt 5.0.10-dfsg-4
Versions of packages virtualbox suggests:
pn vde2 <none>
ii virtualbox-guest-additions-iso 5.0.10-1
-- no debconf information
Gianfranco Costamagna
Dec 10, 2015, 10:10:03 AM12/10/15
to
Hi Ritesh,
>The following has happened without user consent. And especially when
>there is no VBox service active.
I didn't think about a non-running vbox by default...
I disabled it, can you please give it a try?
http://debomatic-amd64.debian.net/distribution#unstable/virtualbox/5.0.10-dfsg-6/buildlog
I guess this way users will be able to systemctl enable it.
thanks,
G.
>The following has happened without user consent. And especially when
>there is no VBox service active.
I disabled it, can you please give it a try?
http://debomatic-amd64.debian.net/distribution#unstable/virtualbox/5.0.10-dfsg-6/buildlog
I guess this way users will be able to systemctl enable it.
thanks,
G.
Ritesh Raj Sarraf
Dec 10, 2015, 11:50:04 AM12/10/15
to
Hi Gianfranco,
On Thu, 2015-12-10 at 15:00 +0000, Gianfranco Costamagna wrote:
> I didn't think about a non-running vbox by default...
> I disabled it, can you please give it a try?
> http://debomatic-amd64.debian.net/distribution#unstable/virtualbox/5.
> 0.10-dfsg-6/buildlog
>
> I guess this way users will be able to systemctl enable it.
I don't have a setup to test right now. But I've looked at the change.
Looks good to me.
But perhaps, for an important change like this, you may want to add it
to NEWS.Debian. ?
--
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System
On Thu, 2015-12-10 at 15:00 +0000, Gianfranco Costamagna wrote:
> I didn't think about a non-running vbox by default...
> I disabled it, can you please give it a try?
> http://debomatic-amd64.debian.net/distribution#unstable/virtualbox/5.
> 0.10-dfsg-6/buildlog
>
> I guess this way users will be able to systemctl enable it.
Looks good to me.
But perhaps, for an important change like this, you may want to add it
to NEWS.Debian. ?
--
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System
0 new messages