I'm hardly the first to notice, but out of the box, vagrant has some serious security issues.

Firstly, it comes with standard ssh key and passwords, giving root access. This is pretty obvious, and not really unexpected. Most users will figure that it's ok, because the Vagrant uses host only networking, and the VM's often not that important anyway.

Unfortunately, Virtualbox forwards 0.0.0.0:2222 on the host to the virtual environment. IF it forwarded 127.0.0.1:2222 that wouldn't be much of an issue, but as it is, this opens up access to anyone on the local network.

Virtualbox also shares it's configuration directory from the host, and it does it in read-write mode. This gives the vagrant user (or root) numerous ways to compromise the security of the host machine. The simplest such mechanism would be to put ruby code into the Vagrantfile. Whatever code is put there will run on the host environment before long.

To do:

1. Fix the port forwarding so it forwards from localhost only.
2. Provide a way to make the sharing of directories read-only, and make that the default behaviour, particularly for the default sharing of the whole vagrant directory.