I want to be able to have multiple users, but only allow them to
access certain VMs. After doing a lot of tinkering, I found my only
option appears to be running separate instances of phpvirtualbox. So
I've set up two vboxweb services which run on different ports as
different users. I then created two phpvirutalbox directories with two
different config.php files. I then logged into both instances and
created a user for each, and deleted the admin user.
Summary of my setup: Two separate services, https://server/alice and https://server/bob, running as system users alice:alice and bob:bob
with separate web users alice:alice and bob:bob.
Initially I thought everything worked great. If I login with
alice:alice at https://server/bob, it fails. This is what I would
expect. However, if I login with alice:alice at https://server/alice,
then navigate to https://server/bob, it allows access. I would most
definitely not expect this. I verified that I could change bob's VMs
as alice (and vice versa) using this method. I would consider this a
pretty big security flaw. Does anyone know if this is a known bug, or
if there is a fix in the works?
Thanks,
mjwhitta
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I want to be able to have multiple users, but only allow them to
access certain VMs. After doing a lot of tinkering, I found my only
option appears to be running separate instances of phpvirtualbox. So
I've set up two vboxweb services which run on different ports as
different users. I then created two phpvirutalbox directories with two
different config.php files. I then logged into both instances and
created a user for each, and deleted the admin user.
Summary of my setup: Two separate services, https://server/alice and
https://server/bob, running as system users alice:alice and bob:bob
with separate web users alice:alice and bob:bob.
Initially I thought everything worked great. If I login with
alice:alice at https://server/bob, it fails. This is what I would
expect. However, if I login with alice:alice at https://server/alice,
then navigate to https://server/bob, it allows access. I would most
definitely not expect this. I verified that I could change bob's VMs
as alice (and vice versa) using this method. I would consider this a
pretty big security flaw. Does anyone know if this is a known bug, or
if there is a fix in the works?
Thanks,
mjwhitta
I'll have a fix out in the next release. It would only affect installations on the same machine .
This has been corrected in the latest release.