Linux – Prevent setuid from dropping setcap user privileges (VirtualBox)


I'm trying to run a web server from a headless, NAT'd VirtualBox guest. VirtualBox needs to bind to port 80, but the only way to do so is by running VirtualBox as root. To get around this, I tried using setcap, but the VirtualBox process is SUID root, meaning it drops all user privileges, including setcap settings.

Since VirtualBox runs with SUID root, why can't non-root users bind to privileged ports with it?

The guest cannot be bridged, it must use NAT. Rerouting traffic with iptables or running VirtualBox as root is also unfortunately not an option, but I may have to settle if there are no other options.

VirtualBox thread demonstrating this feature.

EDIT: My kern.log also confirms this:

warning: /usr/lib/virtualbox/VBoxHeadless' has both setuid-root and effective capabilities. Therefore not raising all capabilities.

EDIT: The capabilities manpage also touches on this:

If the effective user ID is changed from 0 to nonzero, then all capabilities are cleared from the effective set.

Any ideas?

Best Answer

I've located the source of the problem. SUID root programs actually can bind to privileged ports, but VirtualBox specifically drops SUID privileges shortly after it runs, making it impossible to give it the proper permissions without serious modifications. SUID is in fact compatible with setcap, as outlined on the capabilities man page. Recompiling VirtualBox from source is the only option.

EDIT: Setting export VBOX_HARD_CAP_NET_BIND_SERVICE=1 before building VirtualBox enables this functionality.

EDIT: I finally got it fully working by compiling a hardened VirtualBox build from SVN:

# Prerequisites:
#   - Satisfy all dependencies listed in the VirtualBox build instructions
#   - You may need to install additional packages:
#       texlive-latex-extra
#       yasm

cd ~

# Download VirtualBox source code from SVN
svn co vbox
cd vbox

# Configure build. I encountered Java errors so I disabled Java support
./configure --disable-java
source ./
kmk all

# Build kernel module. The below path may vary!
cd ~/vbox/out/linux.amd64/release/bin/src
sudo make install

# Build hardened executable
cd ~/vbox/src/VBox
kmk packing

# Install VirtualBox
cd ~/vbox/out/linux.amd64/release/bin
sudo ./ install

Some of the above steps may require symbolic links to be created. Follow the Linux build instructions for details.