What is the correct way to share directories with Ubuntu running in a Virtual Box VM with correct permissions?
I've figured it out!
To reproduce:
- Shutdown the VM, add shared folders in VBox's settings (Permanent=Yes, Auto-Mount=No)
- Start the VM
From a terminal, run
umask && id
as the normal user to get something like this:002 # this is your umask uid=1000(luser) gid=1000(luser) groups=1000(luser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare),125(vboxsf)
sudo mkdir -p /media/sf_src # src is the shared directory
To mount the src
directory as a test:
sudo mount.vboxsf -o umask=002,gid=1000,uid=1000 src /media/sf_src
| | | | |-> where to mount
| | | | the file
| | | |-> name of the shared dir
| | | (in VBox settings)
| | |
\ | /
from the `id` command
To automatically mount it on login, edit /etc/fstab
and add the following:
src /media/sf_src vboxsf umask=002,gid=1000,uid=1000
The problem -- permission issues in vbox/ubuntu accessing a OSX shared drive
joe_public@joe_public-ubuntu-VirtualBox:/$ ls /media/sf_shared
ls: cannot open directory /media/sf_shared: Permission denied
The goal is a simple way to to share directories between Mac and Ubuntu environments. Unfortunately the examples that I have seen so far seem to be a bit more complex than they actual need to be, and don't really explain what the real problem that needs to be solved. I'll attempt to to handle both of those issues here.
The environment here is a Mac running OSX 10.9.5, with Virtual Box 4.3.16 executing Ubuntu-14.04.1 with Guest extensions installed. September 2014 stuff.
I think that the entire problem here is that the uid of the directories on the Mac, and in Ubuntu must match — The default gid’s assigned for user and groups are different between OSX and Ubuntu, and that’s where the trouble lies.
To access a file, one must either own it, or be a member of the group that owns it. And as access is actually based on the id number of the group, not the group name, all that is necessary is to create a common group number on both sides, that the users belong to.
That’s exactly what the solution below does. Don’t be mislead by the length of what’s written, it’s actually very simple. There are just lots and lots of examples of what’s going on.
I’m going to be flipping between OSX and VBOX consoles here (mac and virtual-box/ubuntu) within this doc — make sure you understand which window your in.
Final note: The solution shown below is based on establishing a common group id between the OSX and Ubuntu environments, so that the file permissions work. There may be other, more modern solutions. This one is really simple and understandable, and runs on bare bones basic unadorned installations.
OSX: —————
Note that is was done on a fresh out of the box 10.9.5 Mac, with nothing on it, not connected to a corporate network, nothing fancy running on it other than stock software. This is as simple as it gets.
When I did the default install on the Mac, joe_public is the admin user, and his uid was set to 501.
Joes-MacBook-Pro:/ joe_public$ id
uid=501(joe_public) gid=20(staff) groups=20(staff),999(vboxsf),401(com.apple.sharepoint.group.1),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),501(access_bpf),33(_appstore),100(_lpoperator),204(_developer),398(com.apple.access_screensharing),399(com.apple.access_ssh)
Notice that the uid is 501 — this is the default first account id on OSX — nothing special
I created a few directories that I want to share on the Mac side — Note that I did not put them under my user directory for backup reasons.
Joes-MacBook-Pro:/ joe_public$ mkdir /vdisk
Joes-MacBook-Pro:/ joe_public$ mkdir /vdisk/shared
Joes-MacBook-Pro:/ joe_public$ mkdir /vdisk/public
Joes-MacBook-Pro:/ joe_public$ mkdir /vdisk/images
Joes-MacBook-Pro:vdisk joe_public$ ls -al
total 0
drwxr-xr-x 5 joe_public admin 170 Oct 8 01:08 .
drwxrwxr-t 36 root admin 1292 Oct 6 02:26 ..
drwxrwxrwx 2 joe_public admin 68 Oct 6 01:08 images
drwxr-xr-x 3 joe_public admin 102 Oct 8 01:07 public
drwxrwxrwx 4 joe_public admin 136 Oct 8 00:45 shared
VBOX: ——————
Simple default virtual box and ubuntu installation - again, joe_public is the default admin created when I installed ubuntu.
Please note once again, that the name space between the OSX and Ubuntu is completely different. There is absolutely no relationship between the two names here.
joe_public@joe_public-ubuntu-VirtualBox:/media/sf_shared$ id
uid=1000(joe_public) gid=1000(joe_public) groups=1000(joe_public),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
Created three mount points, using Virtual Box's Setting -> Shared Folders gui.
Name Path Auto-mount Access
images /vdisk/images Yes Full
public /vdisk/pubic Yes Read-only
shared /vdisk/shared Yes Full
NOTE: I actually had to reboot my session for all these mount points to come up.
joe_public@joe_public-ubuntu-VirtualBox:~$ mount | grep vboxsf
shared on /media/sf_shared type vboxsf (gid=999,rw)
public on /media/sf_public type vboxsf (gid=999,rw)
images on /media/sf_images type vboxsf (gid=999,rw)
Notice that the gid for these is 999 — this is the vboxsf group.
joe_public@joe_public-ubuntu-VirtualBox:~$ grep 999 /etc/group
vboxsf:x:999
This was assigned automagicly by Virtual Box version 4.3.16 for us. The vbox documentation shows ways how to change this if you mount the path manually through the command line, but who’s going to remember that — Simply take the defaults that the GUI forces on us..
But it doesn't work (expected at this point -- that's what we are trying to solve)
joe_public@joe_public-ubuntu-VirtualBox:/$ ls /media/sf_shared
ls: cannot open directory /media/sf_shared: Permission denied
Note that at this point joe_public is not a member of that vboxsf group — and that’s going to be a problem until we fix it. FYI: These are the default groups assigned to the account when it is created.
joe_public@joe_public-ubuntu-VirtualBox:/media$ grep joe_public /etc/group
adm:x:4:syslog,joe_public
cdrom:x:24:joe_public
sudo:x:27:joe_public
dip:x:30:joe_public
plugdev:x:46:joe_public
lpadmin:x:108:joe_public
joe_public:x:1000:
sambashare:x:124:joe_public
So what we have at this point (we haven’t done anything yet to fix it)
• On mac, joe_public gid is 501
• On linux, joe_public gid is 1000
• On linux, vboxfs gid is 999
• On mac, vboxsf does not exist
We don’t want to change the gid of the user joe_public on either side, as that’s a pain in the ass on already installed systems, and doesn’t solve this for other users. The simplest solution is to make a matching group id — vboxsf — on the mac side, and make sure that joe_public is a member of it on both sides.
So, still on vbox/ubuntu, make joe_public a member of the 999 vboxsf group
joe_public@joe_public-ubuntu-VirtualBox:/$ sudo usermod -a -G vboxsf joe_public
joe_public@joe_public-ubuntu-VirtualBox:/$ grep 999 /etc/group
vboxsf:x:999:joe_public
I think I logged out of my account and back in again here after I did this.
OSX: —————
Now we need to create a vboxsf group on the mac. I doubt that the name actually makes a difference here — it’s the 999 group id that’s important. Please remember that the directory system name spaces (as well as user names) are different between the host and the VM operating systems. But just to make life sane, we all call it vboxsf on the mac. Same reasoning why joe_public is used a user name on both sides.
OSX doesn’t have a simple add group command like linux does — so use the dscl command to do this in multiple steps. Please see the mac os documentation for more details on this. Notice that we create the vboxsf group, and add joe_public to that group here.
sudo dscl . -create /Groups/vboxsf
sudo dscl . -create /Groups/vboxsf name vboxsf
sudo dscl . -create /Groups/vboxsf passwd "*”
sudo dscl . -create /Groups/vboxsf gid 999
sudo dscl . -create /Groups/vboxsf GroupMembership joe_public
So, at this point, we should have
• On mac, joe_public gid is 501
• On linux, joe_public gid is 1000
• On linux, vboxfs gid is 999
• On mac, vboxsf gid is 999
• On linux, joe_public is member of vboxsf
• On mac, joe_public is member of vboxsf
The proof here is if it works — so that’s the next step
VBOX: ——————
cd into our directory and touch a file
joe_public@joe_public-ubuntu-VirtualBox:/$ cd /media/sf_shared
joe_public@joe_public-ubuntu-VirtualBox:/media/sf_shared$ touch foo
Check that we created a file successfully.
joe_public@joe_public-ubuntu-VirtualBox:/media/sf_shared$ ls -al
total 4
drwxrwx--- 1 root vboxsf 102 Oct 8 00:44 .
drwxr-xr-x 5 root root 4096 Oct 8 00:30 ..
-rwxrwx--- 1 root vboxsf 0 Oct 8 00:44 foo
OSX: —————
Joes-MacBook-Pro:shared joe_public$ cd /vdisk/shared
Joes-MacBook-Pro:shared joe_public$ ls -al
total 0
drwxrwxrwx 3 joe_public vboxsf 102 Oct 8 00:44 .
drwxr-xr-x 6 joe_public admin 204 Oct 8 00:17 ..
-rw-r--r-- 1 joe_public vboxsf 0 Oct 8 00:44 foo
Joes-MacBook-Pro:shared joe_public$ touch bar
Joes-MacBook-Pro:shared joe_public$ ls -al
total 0
drwxrwxrwx 4 joe_public vboxsf 136 Oct 8 00:45 .
drwxr-xr-x 6 joe_public admin 204 Oct 8 00:17 ..
-rw-r--r-- 1 joe_public vboxsf 0 Oct 8 00:45 bar
VBOX: ——————
joe_public@joe_public-ubuntu-VirtualBox:/media/sf_shared$ ls -al
total 4
drwxrwx--- 1 root vboxsf 136 Oct 8 00:45 .
drwxr-xr-x 5 root root 4096 Oct 8 00:30 ..
-rwxrwx--- 1 root vboxsf 0 Oct 8 00:45 bar
-rwxrwx--- 1 root vboxsf 0 Oct 8 00:44 foo
It all appears to be working..
VBOX: —————— FINAL VERIFICATION
What we are checking out here is that this whole thing depend upon the user joe_public being a member of the vboxsf group — and the simplest way is simply removing joe_public from the group
Removing user joe_public from group vboxsf
joe_public@joe_public-ubuntu-VirtualBox:~$ sudo gpasswd -d joe_public vboxsf
log out/in ubuntu
Seeing if we can access it our directory -- and we can't, and this proves that is a group permission problem
joe_public@joe_public-ubuntu-VirtualBox:/$ ls /media/sf_shared
ls: cannot open directory /media/sf_shared: Permission denied
Add user back into vboxsf
joe_public@joe_public-ubuntu-VirtualBox:/$ sudo usermod -a -G vboxsf joe_public
log out/in ubuntu
It works again !
joe_public@joe_public-ubuntu-VirtualBox:~$ ls -al /media/sf_shared
total 4
drwxrwx--- 1 root vboxsf 170 Oct 8 01:48 .
drwxr-xr-x 6 root root 4096 Oct 8 01:25 ..
-rwxrwx--- 1 root vboxsf 0 Oct 8 00:45 bar
-rwxrwx--- 1 root vboxsf 0 Oct 8 00:44 foo
VBOX: -- ONE MORE PROBLEM -- symbolic links in vbox -------
If you go into /media/sf_shared, you will find that symbolic links in shared directories simply don't work. This is a really big problem if you are trying to set up a full linux development environment on a shared drive.
joe_public@joe_public-ubuntu-VirtualBox:/media$ cd sf_images
joe_public@joe_public-ubuntu-VirtualBox:/media/sf_images$ ls
joe_public@joe_public-ubuntu-VirtualBox:/media/sf_images$ mkdir test
joe_public@joe_public-ubuntu-VirtualBox:/media/sf_images$ ln -s test test2
ln: failed to create symbolic link ‘test2’: Read-only file system
By default, symbolic links aren't supported on virtual box shares. See below for explanations. Basically as I understand it, symbolic links are a security hole that were "fixed" in Virtual Box by disabling support for them in the 4.1.8 time frame (2011). I'm running 4.3.16 here...
https://www.virtualbox.org/ticket/10085
http://ahtik.com/blog/fixing-your-virtualbox-shared-folder-symlink-error/
Fortunately there is a back door to re-enable it, via the Host's VBoxManage command. Like always, please understand the security holes here that you may be opening. I'm on a stand-alone development machine, so this doesn't appear to be a problem.
OSX: ------------
Joes-MacBook-Pro:shared pbradstr$ VBoxManage setextradata Ubuntu VBoxInternal2/SharedFoldersEnableSymlinksCreate/shared 1
Note: Ubuntu is my vm's name, and shared is the shared directory name.
You can get the vm name like this:
Joes-MacBook-Pro:shared pbradstr$ VBoxManage list vms
"Ubuntu" {8461045a-1cee-4d44-8148-05920a47cee0}
Joes-MacBook-Pro:shared pbradstr$
And the shared folders name, either via the Virtual Box gui, or
Joes-MacBook-Pro:shared pbradstr$ VBoxManage showvminfo Ubuntu | grep -A 5 "Shared folders"
Shared folders:
Name: 'shared', Host path: '/vdisk/shared' (machine mapping), writable
Name: 'public', Host path: '/vdisk/public' (machine mapping), readonly
Name: 'images', Host path: '/vdisk/images' (machine mapping), writable
I rebooted the entire virtual box system here, I didn't figure out the minimum requirement for it to take.
Anyway, to test this, go back to you vbox window
VBOX: ---------
joe_public@joe_public-ubuntu-VirtualBox:/media/sf_images$ ln -s test test2
No error -- and to verify
joe_public@joe_public-ubuntu-VirtualBox:/media/sf_shared$ ls -ald test*
drwxrwx--- 1 root vboxsf 102 Oct 8 11:33 test
lrwxrwx--- 1 root vboxsf 4 Oct 8 13:10 test2 -> test
OSX: ----------
And back on the mac side -- just to prove it all works
Joes-MacBook-Pro:shared pbradstr$ ln -s test test3
Joes-MacBook-Pro:shared pbradstr$ ls -ald test*
drwxr-xr-x 4 joe_public admin 136 Oct 8 13:20 test
lrwxr-xr-x 1 joe_public admin 4 Oct 8 13:10 test2 -> test
lrwxr-xr-x 1 joe_public admin 4 Oct 8 13:21 test3 -> test
Please note, I have only tested this on a OSX host, and Ubuntu virtual box client. The references that I listed above seemed to indicate that there might be an issue running a Windows based host.
EXERCISE LEFT FOR THE STUDENT ———————
The benefit of the method listed above is that it can run on a stand-along machine, with no network access. But if you think about this, this name-verses-id issue has got to be a common problem between any heterogeneous computing environments.
What other solutions are available where solutions to that problem are available? — Things like Active Directory (a Microsoft product) and the like might be able to solve this. It would be interesting to obtain a collection of those solutions and compare there various features and tradeoffs.
Ever since VirtualBox v4.0, it's easy to solve these permissions issues! You don't need to worry about mkdir
, mount
, chmod
, umask
, etc. To access your auto-mounted shared folders (which appear in /media
with sf_
prefixes by default), there's only one thing you need to do: Add your username to the vboxsf
group via sudo usermod -a -G vboxsf [username]
.
For convenience, you may also want to create symbolic links to those shared folders within your home
folder (e.g., ln -s /media/sf_Stuff ~/Stuff
).
Source: http://www.virtualbox.org/manual/ch04.html#sf_mount_auto