Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to avoid that Parallels mount my home folder in guest? #171

Closed
chrvadala opened this issue Feb 6, 2015 · 5 comments
Closed

How to avoid that Parallels mount my home folder in guest? #171

chrvadala opened this issue Feb 6, 2015 · 5 comments
Labels
question

Comments

@chrvadala
Copy link

I have removed a lot of shared folders with this lines


config.vm.provider "parallels" do |v|
      v.customize ["set", :id, "--smart-mount", "off"]
      v.customize ["set", :id, "--shared-profile", "off"]
      v.customize ["set", :id, "--shared-cloud", "off"] 

end

but Home folders is already there

Home on /media/psf/Home type prl_fs (rw,nosuid,nodev,sync,noatime,share)
@legal90
Copy link
Collaborator

legal90 commented Feb 9, 2015

Sorry, it is not possible to do this via Vagrant, because there is not such option in prlctl. :(
So, you can set in via GUI in the VM settings:
"Actions" -> "Configure..." -> "Options" -> "Sharing" -> "Share Folders" set to None

Custom shared folders, defined by Vagrant, are not affected by this setting and will be available in the guest OS.

P.s.
Could you please explain your use case? Is this undesired Home sharing critical for you?

@chrvadala
Copy link
Author

Hi, Now I'm using the GUI to exclude the home from my project, but this settings is lost when I destroy the VM.

I think that have the home folder mounted by default is a big secure risk, because if I forget to disable it, I expose the home folder to an environment that should have some critical bug.

An another risk is about the sharing feature (http://docs.vagrantup.com/v2/share/ssh.html). I have never used it yet, but I think that share an ssh with home mounted can give access at reserved document to colleges or friends.

I hope that Parallels will add this option in prlctl as soon as possible.

Thank you for your answer. I have appreciated it a lot ;)

@legal90
Copy link
Collaborator

legal90 commented Feb 11, 2015

Thank you for an explanation. I'll keep you in touch here and will let you know when it will be implemented in prlctl.

So, I think this issue can be closed.

@legal90 legal90 closed this as completed Feb 11, 2015
@posita
Copy link

posita commented Apr 17, 2015

UPDATE: It appears that vagrant-triggers is not needed for this hack. For some reason (at least with v9), the following is sufficient (i.e., /media/psf is not recreated on subsequent runs):

# Vagrantfile
    ...
    config.vm.provider :parallels do |v, override|
        override.vm.provision :shell, :inline => (q{
            set -ex
            if [ -d /media/psf ] ; then
                for i in /media/psf/* ; do
                    if [ -d "${i}" ] ; then
                        umount "${i}" || true
                        rmdir -v "${i}"
                    fi
                done
                rmdir -v /media/psf
            fi
            exit}).strip
    end
    ...

Can someone verify whether this approach works on v10?

_WARNING__: None of these hacks protect against certain attacks that would be avoided by never having those mount points in the first place (see example below)._

I haven't tested this, but In the mean time, as a hack, one could use emyl/vagrant-triggers and a script to force umounting the offending directories. First, create the following (e.g., as umountpsf.sh in the same directory as your Vagrantfile):

#!/usr/bin/env sh
set -ex

if [ -d /media/psf ] ; then
    for i in /media/psf/* ; do
        if [ -d "${i}" ] ; then
            umount "${i}" || true
            rmdir -v "${i}"
        fi
    done

    rmdir -v /media/psf
fi

exit

Then call it on vagrant up:

# Vagrantfile
    ...
    config.vm.provider :parallels do |v, override|
        override.vm.provision :shell, :path => 'umountpsf.sh'
        override.trigger.after :up do
            run "vagrant ssh -c /vagrant/umountpsf.sh"
        end
    end
    ...

But I agree, this should not be necessary. Auto-mounting by default is a _huge_ security no-no.1 😠 At the very least, Parallels' own boxes should completely disable all sharing by default except for /vagrant to remain consistent with other providers (but to be overridden as desired in the Vagrantfile). All of them I've seen have sharing _on_ by default. 😞

1 Imagine a situation where an attacker manages to replace parallels/debian-7.8 (or creates and promotes a separate box altogether) with a build that mines /media/psf/... for sensitive data (e.g., .../Library/Application Support/Bitcoin/wallet.dat) as part of the init process and sends whatever it finds off to a remote website....

@legal90
Copy link
Collaborator

legal90 commented Mar 30, 2016

@chrvadala I'm sorry for the late response. The CLI option for managing this was implemented in Parallels Desktop 11.0.0. This is how to disable "Home" folder sharing:

prlctl set <vm_uuid> --shf-host-defined off

In Vagrantfile it could be done this way:

config.vm.provider "parallels" do |v|
  v.customize ["set", :id, "--shf-host-defined", "off"]
end

I will add this option to the list of default settings for all VMs, in addition to #215

legal90 added a commit to legal90/vagrant-parallels that referenced this issue Mar 30, 2016
@legal90
Disable home folder sharing by default
ca7d786 
Implements ParallelsGH-171
@legal90 legal90 mentioned this issue Mar 30, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@posita @chrvadala @legal90