VirtualBox synced folder symlinks shouldn't be enabled by default

[edgmnt]

According to https://phoenhex.re/2018-03-25/not-a-vagrant-bug that VirtualBox feature is insecure. Vagrant just shows a warning and it merrily goes on its way. Why not disable it by default and ship secure defaults? Let users opt in if they really need it.

[RyanJarv]

Didn't know about this one. I'm all for this, but also worth considering vagrant also:

• Allows code execution on the host
  • https://blog.ryanjarv.sh/2019/06/08/malicious-vagrant-boxes.html
• Allows unfiltered access to the host's loopback adapter
  • https://blog.ryanjarv.sh/2020/11/13/virtual-box-networking.html
  • Can't easily be fixed since vagrant heavily relies on the NAT interface existing.
  • VirtualBox won't fix this issue with NAT. Reported it and they consider it a feature.

Ultimately I think there needs to be a plugin that changes vagrant to use secure behavior by default. Here's my best attempt at creating a isolated guest:

https://github.com/RhinoSecurityLabs/dsnap/blob/main/dsnap/files/Vagrantfile#L35

Vagrant sharing is disabled, NAT interface is replaced by host only interface. Unfortunately the second means no outbound networking, I couldn't figure out a straightforward way of preventing host loopback access with networking enabled.

Anyways it seems like they have given up on any sort of isolation between the guest and host and I haven't seen any effort for any of these to be fixed.