VirtualBox

Opened 2 months ago

Last modified 2 months ago

#22159 new defect

Correcting the Windows Security Configuration Commands

Reported by: agrajagco Owned by:
Component: documentation Version: VirtualBox-7.0.20
Keywords: install, windows, icacls Cc: agrajagco
Guest type: all Host type: Windows

Description (last modified by agrajagco)

The windows security setup instructions located on the virtualbox.org and oracle documentation site are missing important single quotes around the grant/deny assertions given as examples for proper filesystem setup.

From the user guide section 2.1.2: https://forum.virtualbox.org/manual/UserManual.html#install-win-installdir-req

And from the Oracle Documentation User Guide in Section 2 Installation

https://docs.oracle.com/en/virtualization/virtualbox/7.0/user/installation.html#installation

The instruction section for the icacls command reads as the following:

      icacls <Directory> /reset /t /c
      icacls <Directory> /inheritance:d /t /c
      icacls <Directory> /grant *S-1-5-32-545:(OI)(CI)(RX)
      icacls <Directory> /deny  *S-1-5-32-545:(DE,WD,AD,WEA,WA)
      icacls <Directory> /grant *S-1-5-11:(OI)(CI)(RX)
      icacls <Directory> /deny  *S-1-5-11:(DE,WD,AD,WEA,WA)
      

This is incorrect and should be rewritten as follows (note single quoting around grant/deny statements)

      icacls <Directory> /reset /t /c
      icacls <Directory> /inheritance:d /t /c
      icacls <Directory> /grant '*S-1-5-32-545:(OI)(CI)(RX)'
      icacls <Directory> /deny  '*S-1-5-32-545:(DE,WD,AD,WEA,WA)'
      icacls <Directory> /grant '*S-1-5-11:(OI)(CI)(RX)'
      icacls <Directory> /deny  '*S-1-5-11:(DE,WD,AD,WEA,WA)'
      

Single quoting the grant/deny assertions properly allows the commands to run properly on the target <directory> location.

I question the safety/sanity of running these against a default existing location in a users home directory however (e.g. C:\Users\myusername\Virtualbox VMs)

I am trying to find a sane way to move these VMs out of their current home and into a new space.

Question: Is there a manifest or something that can be edited for each config to correct the location the VMs to a new correctly configured filesystem? I've searched registry, etc to try and find where this is stored at to brute force migrate, because anything that exists to move or do anything else with the VM will not recognize filesystem locations that have not been configured using the above commands.

I've started reading into the VboxManage command line but can not put together a working approach to do this via that tool, either.

It seems like BEFORE UPGRADING, users should be using their existing functioning version of virtualbox to get things in a place that will be stable for the 7.x upgrade... that or some kind of tooling to assist with new filesystem / relocation setup?

I've created the following powershell script and tested against a nested directory structure to make it properly recognizable for the 7.x virtualbox. It works, but again I do NOT want to reinstrument ACLs around my defaul user home directory on windows (and I would not have selected it on installation, this was a default at some point in my install history it looks like...)

(corrected script uploaded to address parent path having trailing slash properly)

# Script: vbox-fixpaths.ps1
# Version: 1.3.0

# Check if a path was provided as a command-line argument
if ($args.Count -eq 0) {
    Write-Host "Please provide a directory path as an argument."
    exit 1
}

# Get the path from the command-line arguments and normalize it
$targetPath = $args[0].TrimEnd('\')

# Check if the path exists
if (-not (Test-Path -Path $targetPath)) {
    Write-Host "The specified path does not exist: $targetPath"
    exit 1
}

# Normalize the path
$targetPath = [System.IO.Path]::GetFullPath($targetPath)

# Get the parent directory
$parentPath = [System.IO.Directory]::GetParent($targetPath)

if (-not $parentPath) {
    Write-Host "No parent directory found for the specified path."
    exit 1
}

$parentPath = $parentPath.FullName

# Define the set of commands to be run for each directory
function Run-Commands {
    param (
        [string]$path
    )

    Write-Host "Running commands against directory: $path"

    # Replace <Directory> with the actual directory path in your commands
    $commands = @(
        "icacls `"$path`" /grant '*S-1-5-32-545:(OI)(CI)(RX)'",
        "icacls `"$path`" /deny  '*S-1-5-32-545:(DE,WD,AD,WEA,WA)'",
        "icacls `"$path`" /grant '*S-1-5-11:(OI)(CI)(RX)'",
        "icacls `"$path`" /deny  '*S-1-5-11:(DE,WD,AD,WEA,WA)'"
    )

    # Execute each command
    foreach ($command in $commands) {
        Write-Host "Executing: $command"
        Invoke-Expression $command
    }
}

# Run the commands against the parent directory
Run-Commands -path $parentPath

# Run the commands against the specified directory
Run-Commands -path $targetPath

# Recursively get all child directories of the specified path
$childDirectories = Get-ChildItem -Path $targetPath -Recurse -Directory

# Run the commands against each child directory
foreach ($child in $childDirectories) {
    Run-Commands -path $child.FullName
}

Write-Host "Completed running commands."

Change History (2)

comment:1 by agrajagco, 2 months ago

Description: modified (diff)

comment:2 by agrajagco, 2 months ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette