This is not a real question but I rather want to put this here in order to document it as there is a lot of contradicting information in the web.
When you run Virtualbox on a headless linux server, then there are afaik at least two native options (i.e. not RDP/VNC/X) to access Virtualbox remotely. One is phpvirtualbox and the other one is remotebox. Either of these solutions needs the virtual box web services.
Running the Virtualbox Web services as a root user is not a good option for security reasons. Many of the solutions which are suggested in the web are either outdated as they talk about changing the /etc/config/defaults files - but this is not relevant for systemd any more, just initd.
Other solutions only cover parts of the steps and fail for example with access rights to PAM or to the PID file.
We need to address the following steps:
create a user
Create a non-root user, with a home directory and no login capabilities
Add the user to the shadow group
The user's primary group needs to be vboxusers. In order to allow the web services to authenticate against PAM it can - at least on debian systems such as debian, ubuntu or mint, be made a member of the shadow group.
modify the systemd unit file
The unit file needs to have the following content:
So rather than calling the start batch script, we call the executable directly. The options indicate the location of the pidfile as well as the interface it binds to (in the example this is 0.0.0.0, so any interface).
This video on youtube describes all necessary steps in detail.