I'm using spice-webdav to do folder shares in gnome-boxes/libvirt.
I've set my share folder to /home/boxshares and in most cases, the folder share works as meant. But it some situations, spice-webdav or gnome-boxes will give the guest read-write access to all my directory - aka /home/myusername.
This seems to occur when a live snapshot of the guest has been taken while the folder share has been mounted. Upon restoring the guest, the proper share folder is no longer mounted and in it's place is my home directory with full read and write access to everything from within the VM.
How to reproduce (I'm only running Linux VM, I don't know if this is happening in other guest OSs):
setup a folder sharing
start vm
go to nautilus in guest, hit Other Locations in the sidebar and mount your folder share
close VM, either by hitting Ctrl+Alt,Alt-F4 or taking a snapshot and quitting
restore live snapshot and go back to nautilus, the guest should still be mounted but with your home directory instead.
I used the spice-webdavd plugin on a ubuntu 18.04 guest. Installed via apt.
This is a very dangerous bug that will put the machine of anyone using a VM to run untrusted apps at risk. Don't know if it's spice-webdav or gnome-boxes, so I opened an issue with both projects.
I'm using spice-webdav to do folder shares in gnome-boxes/libvirt.
I've set my share folder to /home/boxshares and in most cases, the folder share works as meant. But it some situations, spice-webdav or gnome-boxes will give the guest read-write access to all my directory - aka /home/myusername.
This seems to occur when a live snapshot of the guest has been taken while the folder share has been mounted. Upon restoring the guest, the proper share folder is no longer mounted and in it's place is my home directory with full read and write access to everything from within the VM.
How to reproduce (I'm only running Linux VM, I don't know if this is happening in other guest OSs):
setup a folder sharing start vm go to nautilus in guest, hit Other Locations in the sidebar and mount your folder share close VM, either by hitting Ctrl+Alt,Alt-F4 or taking a snapshot and quitting restore live snapshot and go back to nautilus, the guest should still be mounted but with your home directory instead.
I used the spice-webdavd plugin on a ubuntu 18.04 guest. Installed via apt.
This is a very dangerous bug that will put the machine of anyone using a VM to run untrusted apps at risk. Don't know if it's spice-webdav or gnome-boxes, so I opened an issue with both projects.