Bug #1935856 “Virtualbox encounters 'Effective UID is not root' ...” : Bugs : virtualbox package : Ubuntu

Revision history for this message

MarkJBobak (mark-bobak) wrote on 2021-07-12:

#1

Dependencies.txt Edit (10.7 KiB, text/plain; charset="utf-8")
LsMod.txt Edit (9.7 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.5 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (115 bytes, text/plain; charset="utf-8")
VirtualBox.DpkgList.txt Edit (1.6 KiB, text/plain; charset="utf-8")
VirtualBox.ModInfo.txt Edit (11.4 KiB, text/plain; charset="utf-8")

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-07-13:

#2

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in virtualbox (Ubuntu):
status:	New → Confirmed

Revision history for this message

Oliver Maurhart (dyle71) wrote on 2021-07-30:

#3

Hi *,

I'm affected by this bug too. What I noticed:
When I run
```
$ strace -ff -o VBoxManage.trace VBoxManage startvm 92522455-ebd0-4a67-8a38-4ba05ca3fc00
```
and check the trace files for any "perm" I see
```
$ grep -i perm VBoxManage.trace.101*
...
VBoxManage.trace.10169:openat(AT_FDCWD, "/dev/loop5", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = -1 EACCES (Permission denied)
VBoxManage.trace.10169:openat(AT_FDCWD, "/dev/loop3", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = -1 EACCES (Permission denied)
VBoxManage.trace.10179:openat(AT_FDCWD, "/dev/vboxnetctl", O_RDWR) = -1 EACCES (Permission denied)
VBoxManage.trace.10183:capset({version=0 /* _LINUX_CAPABILITY_VERSION_??? */, pid=0}, {effective=1<<CAP_NET_RAW|1<<CAP_SYS_NICE, permitted=1<<CAP_NET_RAW|1<<CAP_SYS_NICE, inheritable=0}) = -1 EINVAL (Invalid argument)
...
```

Checking the (device-)file in question, I see:
```
$ ls -l /dev/vboxnetctl
crw------- 1 root root 10, 120 Jul 30 09:27 /dev/vboxnetctl
```

I'm not root, so that's clear to me then. But my user is member of the vboxuser group.
So changing the access permission to
```
$ sudo chgrp vboxusers /dev/vboxnetctl && sudo chmod g+rw /dev/vboxnetctl
$ ls -l /dev/vboxnetctl
crw-rw---- 1 root vboxusers 10, 120 Jul 30 09:27 /dev/vboxnetctl
```

And trying again, renders now
```
$ strace -ff -o VBoxManage.trace VBoxManage startvm 92522455-ebd0-4a67-8a38-4ba05ca3fc00
...
$ grep -i perm VBox*
...
VBoxManage.trace.9788:openat(AT_FDCWD, "/dev/loop5", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = -1 EACCES (Permission denied)
VBoxManage.trace.9788:openat(AT_FDCWD, "/dev/loop3", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = -1 EACCES (Permission denied)
VBoxManage.trace.9798:openat(AT_FDCWD, "/dev/vboxnetctl", O_RDWR) = -1 EPERM (Operation not permitted)
VBoxManage.trace.9802:capset({version=0 /* _LINUX_CAPABILITY_VERSION_??? */, pid=0}, {effective=1<<CAP_NET_RAW|1<<CAP_SYS_NICE, permitted=1<<CAP_NET_RAW|1<<CAP_SYS_NICE, inheritable=0}) = -1 EINVAL (Invalid argument)
...
```

So, it's "Operation not permitted" and somehow relates to Linux Capabilities
```
$ man capabilities
```

Mehhh, ... puhh ... I'll investigate further...

Hi *,

I'm affected by this bug too. What I noticed:
When I run 
```
$ strace -ff -o VBoxManage.trace VBoxManage startvm 92522455-ebd0-4a67-8a38-4ba05ca3fc00
```
and check the trace files for any "perm" I see
```
$ grep -i perm VBoxManage.trace.101*
...
VBoxManage.trace.10169:openat(AT_FDCWD, "/dev/loop5", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = -1 EACCES (Permission denied)
VBoxManage.trace.10169:openat(AT_FDCWD, "/dev/loop3", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = -1 EACCES (Permission denied)
VBoxManage.trace.10179:openat(AT_FDCWD, "/dev/vboxnetctl", O_RDWR) = -1 EACCES (Permission denied)
VBoxManage.trace.10183:capset({version=0 /* _LINUX_CAPABILITY_VERSION_??? */, pid=0}, {effective=1<<CAP_NET_RAW|1<<CAP_SYS_NICE, permitted=1<<CAP_NET_RAW|1<<CAP_SYS_NICE, inheritable=0}) = -1 EINVAL (Invalid argument)
...
```

Checking the (device-)file in question, I see:
```
$ ls -l /dev/vboxnetctl 
crw------- 1 root root 10, 120 Jul 30 09:27 /dev/vboxnetctl
```

I'm not root, so that's clear to me then. But my user is member of the vboxuser group.
So changing the access permission to
```
$ sudo chgrp vboxusers /dev/vboxnetctl && sudo chmod g+rw /dev/vboxnetctl
$ ls -l /dev/vboxnetctl 
crw-rw---- 1 root vboxusers 10, 120 Jul 30 09:27 /dev/vboxnetctl
```

And trying again, renders now
```
$ strace -ff -o VBoxManage.trace VBoxManage startvm 92522455-ebd0-4a67-8a38-4ba05ca3fc00
...
$ grep -i perm VBox*
...
VBoxManage.trace.9788:openat(AT_FDCWD, "/dev/loop5", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = -1 EACCES (Permission denied)
VBoxManage.trace.9788:openat(AT_FDCWD, "/dev/loop3", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = -1 EACCES (Permission denied)
VBoxManage.trace.9798:openat(AT_FDCWD, "/dev/vboxnetctl", O_RDWR) = -1 EPERM (Operation not permitted)
VBoxManage.trace.9802:capset({version=0 /* _LINUX_CAPABILITY_VERSION_??? */, pid=0}, {effective=1<<CAP_NET_RAW|1<<CAP_SYS_NICE, permitted=1<<CAP_NET_RAW|1<<CAP_SYS_NICE, inheritable=0}) = -1 EINVAL (Invalid argument)
...
```

So, it's "Operation not permitted" and somehow relates to Linux Capabilities
```
$ man capabilities
```

Mehhh, ... puhh ... I'll investigate further...

Revision history for this message

Oliver Maurhart (dyle71) wrote on 2021-07-30:

#4

Add-on: I checked the sources provided at https://download.virtualbox.org/virtualbox/6.1.22/ and I think the responsible code snippet is in VirtualBox-6.1.22/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp

```
$ cat -n VirtualBox-6.1.22/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp | grep -A 10 2550
  2550 /*
  2551 * Check that we're root, if we aren't then the installation is butchered.
  2552 */
  2553 g_uid = getuid();
  2554 g_gid = getgid();
  2555 if (geteuid() != 0 /* root */)
  2556 supR3HardenedFatalMsg("SUPR3HardenedMain", kSupInitOp_RootCheck, VERR_PERMISSION_DENIED,
  2557 "Effective UID is not root (euid=%d egid=%d uid=%d gid=%d)",
  2558 geteuid(), getegid(), g_uid, g_gid);
  2559 #endif /* SUP_HARDENED_SUID */
  2560
```

When making a small demo:
```
$ cat a.c
#include <stdio.h>
#include <fcntl.h>

#include <unistd.h>
#include <sys/types.h>

int main(int argc, char** argv) {

printf("Real user id: %d\n", getuid());
printf("Effective user id: %d\n", geteuid());

int res = openat(AT_FDCWD, "/dev/vboxnetctl", O_RDWR);

    if (res == -1) {
        perror(NULL);
        return 1;
    }
    printf("Opened file.\n");
    return 0;
}
```
with

```
$ gcc a.c
$ sudo chown root: a.out
$ ls -l a.out
-rwxrwxr-x 1 root root 16312 Jul 30 12:05 a.out

$ ./a.out
Real user id: 1000
Effective user id: 1000
Operation not permitted

$ sudo ./a.out
Real user id: 0
Effective user id: 0
Opened file.

$ sudo chmod u+s a.out
$ ./a.out
Real user id: 1000
Effective user id: 0
Opened file.
```

However, regardless if I provide each and every executable in /usr/lib/virtualbox/* the sticky bit with `chmod u+s` this error keeps popping up.

X11 showing the error dialog refers to /usr/lib/virtualbox/VBoxManage. But it seems very resilient to any of my attempts.

BUT: running VBoxManage as root (e.g. `sudo VirtualBox`) works like charm.

Add-on: I checked the sources provided at https://download.virtualbox.org/virtualbox/6.1.22/ and I think the responsible code snippet is in VirtualBox-6.1.22/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp

```
$ cat -n VirtualBox-6.1.22/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp | grep -A 10 2550
  2550      /*
  2551       * Check that we're root, if we aren't then the installation is butchered.
  2552       */
  2553      g_uid = getuid();
  2554      g_gid = getgid();
  2555      if (geteuid() != 0 /* root */)
  2556          supR3HardenedFatalMsg("SUPR3HardenedMain", kSupInitOp_RootCheck, VERR_PERMISSION_DENIED,
  2557                                "Effective UID is not root (euid=%d egid=%d uid=%d gid=%d)",
  2558                                geteuid(), getegid(), g_uid, g_gid);
  2559  #endif /* SUP_HARDENED_SUID */
  2560
```

When making a small demo:
```
$ cat a.c 
#include <stdio.h>
#include <fcntl.h>

#include <unistd.h>
#include <sys/types.h>

int main(int argc, char** argv)  {

printf("Real user id: %d\n", getuid());
    printf("Effective user id: %d\n", geteuid());

int res = openat(AT_FDCWD, "/dev/vboxnetctl", O_RDWR);

if (res == -1) {
        perror(NULL);
        return 1;
    }
    printf("Opened file.\n");
    return 0;
}
```
with

```
$ gcc a.c 
$ sudo chown root: a.out
$ ls -l a.out
-rwxrwxr-x 1 root root 16312 Jul 30 12:05 a.out

$ ./a.out 
Real user id: 1000
Effective user id: 1000
Operation not permitted

$ sudo ./a.out 
Real user id: 0
Effective user id: 0
Opened file.

$ sudo chmod u+s a.out 
$ ./a.out 
Real user id: 1000
Effective user id: 0
Opened file.
```

However, regardless if I provide each and every executable in /usr/lib/virtualbox/* the sticky bit with `chmod u+s` this error keeps popping up.

X11 showing the error dialog refers to /usr/lib/virtualbox/VBoxManage. But it seems very resilient to any of my attempts.

BUT: running VBoxManage as root (e.g. `sudo VirtualBox`) works like charm.

Revision history for this message

MarkJBobak (mark-bobak) wrote on 2021-07-30: Re: [Bug 1935856] Re: Virtualbox encounters 'Effective UID is not root' when starting a VM

#5

Nice. I'm currently away from my computer, but I'll have a look ASAP.

Thanks!

-Mark

On Fri, Jul 30, 2021, 06:41 Oliver Maurhart <email address hidden>
wrote:

> Add-on: I checked the sources provided at
> https://download.virtualbox.org/virtualbox/6.1.22/ and I think the
> responsible code snippet is in
> VirtualBox-6.1.22/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp
>
> ```
> $ cat -n
> VirtualBox-6.1.22/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp | grep
> -A 10 2550
> 2550 /*
> 2551 * Check that we're root, if we aren't then the installation
> is butchered.
> 2552 */
> 2553 g_uid = getuid();
> 2554 g_gid = getgid();
> 2555 if (geteuid() != 0 /* root */)
> 2556 supR3HardenedFatalMsg("SUPR3HardenedMain",
> kSupInitOp_RootCheck, VERR_PERMISSION_DENIED,
> 2557 "Effective UID is not root (euid=%d
> egid=%d uid=%d gid=%d)",
> 2558 geteuid(), getegid(), g_uid, g_gid);
> 2559 #endif /* SUP_HARDENED_SUID */
> 2560
> ```
>
> When making a small demo:
> ```
> $ cat a.c
> #include <stdio.h>
> #include <fcntl.h>
>
> #include <unistd.h>
> #include <sys/types.h>
>
> int main(int argc, char** argv) {
>
> printf("Real user id: %d\n", getuid());
> printf("Effective user id: %d\n", geteuid());
>
> int res = openat(AT_FDCWD, "/dev/vboxnetctl", O_RDWR);
>
> if (res == -1) {
> perror(NULL);
> return 1;
> }
> printf("Opened file.\n");
> return 0;
> }
> ```
> with
>
> ```
> $ gcc a.c
> $ sudo chown root: a.out
> $ ls -l a.out
> -rwxrwxr-x 1 root root 16312 Jul 30 12:05 a.out
>
> $ ./a.out
> Real user id: 1000
> Effective user id: 1000
> Operation not permitted
>
> $ sudo ./a.out
> Real user id: 0
> Effective user id: 0
> Opened file.
>
> $ sudo chmod u+s a.out
> $ ./a.out
> Real user id: 1000
> Effective user id: 0
> Opened file.
> ```
>
> However, regardless if I provide each and every executable in
> /usr/lib/virtualbox/* the sticky bit with `chmod u+s` this error keeps
> popping up.
>
> X11 showing the error dialog refers to /usr/lib/virtualbox/VBoxManage.
> But it seems very resilient to any of my attempts.
>
> BUT: running VBoxManage as root (e.g. `sudo VirtualBox`) works like
> charm.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1935856
>
> Title:
> Virtualbox encounters 'Effective UID is not root' when starting a VM
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1935856/+subscriptions
>
>

Nice.  I'm currently away from my computer, but I'll have a look ASAP.

Thanks!

-Mark

On Fri, Jul 30, 2021, 06:41 Oliver Maurhart <1935856@bugs.launchpad.net>
wrote:

> Add-on: I checked the sources provided at
> https://download.virtualbox.org/virtualbox/6.1.22/ and I think the
> responsible code snippet is in
> VirtualBox-6.1.22/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp
>
> ```
> $ cat -n
> VirtualBox-6.1.22/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp | grep
> -A 10 2550
>   2550      /*
>   2551       * Check that we're root, if we aren't then the installation
> is butchered.
>   2552       */
>   2553      g_uid = getuid();
>   2554      g_gid = getgid();
>   2555      if (geteuid() != 0 /* root */)
>   2556          supR3HardenedFatalMsg("SUPR3HardenedMain",
> kSupInitOp_RootCheck, VERR_PERMISSION_DENIED,
>   2557                                "Effective UID is not root (euid=%d
> egid=%d uid=%d gid=%d)",
>   2558                                geteuid(), getegid(), g_uid, g_gid);
>   2559  #endif /* SUP_HARDENED_SUID */
>   2560
> ```
>
> When making a small demo:
> ```
> $ cat a.c
> #include <stdio.h>
> #include <fcntl.h>
>
> #include <unistd.h>
> #include <sys/types.h>
>
> int main(int argc, char** argv)  {
>
>     printf("Real user id: %d\n", getuid());
>     printf("Effective user id: %d\n", geteuid());
>
>     int res = openat(AT_FDCWD, "/dev/vboxnetctl", O_RDWR);
>
>     if (res == -1) {
>         perror(NULL);
>         return 1;
>     }
>     printf("Opened file.\n");
>     return 0;
> }
> ```
> with
>
> ```
> $ gcc a.c
> $ sudo chown root: a.out
> $ ls -l a.out
> -rwxrwxr-x 1 root root 16312 Jul 30 12:05 a.out
>
> $ ./a.out
> Real user id: 1000
> Effective user id: 1000
> Operation not permitted
>
> $ sudo ./a.out
> Real user id: 0
> Effective user id: 0
> Opened file.
>
> $ sudo chmod u+s a.out
> $ ./a.out
> Real user id: 1000
> Effective user id: 0
> Opened file.
> ```
>
> However, regardless if I provide each and every executable in
> /usr/lib/virtualbox/* the sticky bit with `chmod u+s` this error keeps
> popping up.
>
> X11 showing the error dialog refers to /usr/lib/virtualbox/VBoxManage.
> But it seems very resilient to any of my attempts.
>
> BUT: running VBoxManage as root (e.g. `sudo VirtualBox`) works like
> charm.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1935856
>
> Title:
>   Virtualbox encounters 'Effective UID is not root' when starting a VM
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1935856/+subscriptions
>
>

Revision history for this message

Oliver Maurhart (dyle71) wrote on 2021-07-31:

#6

Errm, I don't know what to say.
Today I rebooted and tried again... and it worked. o.O

```
$ VBoxManage startvm 92522455-ebd0-4a67-8a38-4ba05ca3fc00
Waiting for VM "92522455-ebd0-4a67-8a38-4ba05ca3fc00" to power on...
VM "92522455-ebd0-4a67-8a38-4ba05ca3fc00" has been successfully started.
```

I did not reinstall Virtualbox. Just an ordinary regular apt update && apt upgrade today.

Hm, what remains is my sticky bit for /usr/share/virtualbox/VirtualBoxVM:
```
$ find /usr/lib/virtualbox/ -type f -executable | xargs ls -l | grep rws
-rwsr-xr-x 1 root root 166208 Jun 22 09:15 /usr/lib/virtualbox/VirtualBoxVM
```

I don't know why it works today, despite my tries yesterday... maybe the virtual box kernel modules have some magic residing in memory and thus ignoring my attempts until a reboot.

See myself puzzled...

Revision history for this message

Sergey Menshikov (sergem) wrote on 2021-07-31:

#7

I confirm that setting suid on VirtualBoxVM mitigates the issue.
sudo chmod g+s /usr/lib/virtualbox/VirtualBoxVM

Revision history for this message

MarkJBobak (mark-bobak) wrote on 2021-08-01:

#8

Confirmed!

Sergei, I needed to do sudo chmod u+s, *not* sudo chmod g+s. g+s didn't
work.

On Sat, Jul 31, 2021 at 4:45 PM Sergey Menshikov <email address hidden>
wrote:

> I confirm that setting suid on VirtualBoxVM mitigates the issue.
> sudo chmod g+s /usr/lib/virtualbox/VirtualBoxVM
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1935856
>
> Title:
> Virtualbox encounters 'Effective UID is not root' when starting a VM
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1935856/+subscriptions
>
>

Revision history for this message

Alexandre Horst (ahorst) wrote on 2021-08-11:

#9

In addition, I needed to

sudo chmod u+s /usr/lib/virtualbox/VBoxNetAdpCtl

too to change network interfaces on the "Host Network Manager".

Ubuntu
virtualbox package

Virtualbox encounters 'Effective UID is not root' when starting a VM

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntuvirtualbox package

Virtualbox encounters 'Effective UID is not root' when starting a VM

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
virtualbox package