file sharing GAVE GUEST READ WRITE ACCESS TO MY WHOLE HOME DIRECTORY instead of actually assigned share folder
I've set my share folder to /home/boxshares and in most cases, the folder share works as meant. But it some situations, gnome-boxes will give the guest read-write access to all my directory - aka /home/myusername.
This seems to occur when a live snapshot of the guest has been taken while the folder share has been mounted. Upon restoring the guest, the guest folder is no longer mounted and in it's place is my home directory with full read and write access to everything.
How to reproduce (I'm only running Linux VM, I don't know if this is happening in other guest OSs):
- setup a folder sharing
- start vm
- go to nautilus in guest, hit Other Locations in the sidebar and mount your folder share
- close VM, either by hitting Ctrl+Alt,Alt-F4 or taking a snapshot and quitting
- restore live snapshot and go back to nautilus, the guest should still be mounted but with your home directory instead.
I used the spice-webdavd plugin on a ubuntu 18.04 guest.
This is a very dangerous bug that will put the machine of anyone using a VM to run untrusted apps at risk.
Edited by Ghost User