Idea - Could I limit guest OS access in this manner

[cat2005]

I run a linux ubuntu host.

I want to put a guest OS in the following manner:
- any of my multiple host accounts can use the guest OS
- only one of my multiple host accounts can alter (write access) the guest OS

I did some quick research and am throwing in a few of my ideas. Could you tell me if this approach would work?

Assumptions:
- Place the hidden ".virtualbox...." folder and files in /home for the users. Their respective /home permissions would look like this: User: rwx Group: (the group permissions here wouldn't matter for this particular project, would it?)
- Place the actual vdi in a separate partition, separate folder, and have that owned by the user who can alter (write access) the guest OS. The permissions for this folder would be: User: rwx Group: r-x
- All host user accounts are in the same Group

Thus:
- Those with the hidden ".virtualbox..." folders and files could keep their own virtual machine configuration but still not alter the guest OS because
- Only one user "owns" the windows guest OS and those in his group lack "write" access

Would this work, or do I need to do more research and go back to the drawing board?

Thank you!

[MarkCranness]

... Could you tell me if this approach would work?

No, it will not work.

But by using Immutable disks, you could get close (see section 5.3 of the manual).
You would have to detach the disk from all of the 'read-only' VMs to update the disk in the 'write access' VM and then reattach to the 'read only' VMs.

Get the VDI how you want it, then:

• Detach the VDI from the 'write access' VM
• Set the VDI's state to immutable (VBoxManage modifyhd VDI.vdi --type immutable)
• Attach to 'read only' VMs

To change the VDI:

• Detach the VDI from all of the 'read only' VMs
• (Edit: Oops, required) Delete the now unused differencing disks (use Virtual Media Manager)
• Set the VDI's state to normal (VBoxManage modifyhd VDI.vdi --type normal)
• Attach it to the 'write access' VM
• Start 'write access' VM, Install updates, Shutdown VM
• Detach the VDI from the 'write access' VM
• Set the VDI's state to immutable again
• Attach to 'read only' VMs

Problems with your r-x method include:
- VirtualBox won't allow a VM to start if a hard disk file attached to the machine is read-only.
(I mean: Using Virtual Media Manager, find the file in the tree that says 'Attached to: <vm>' without any (snapshot) suffix. That file must be read-write.)
- If multiple VMs have the same hard disk attached to the machine (see above for definition), then only one of those VMs can run at a time.
- If multiple VMs have the same hard disk attached to the machine (and that disk is 'Normal') then no snapshots can be taken.

[cat2005]

Ahh....I figured I must have missed something. Thank you so much for your input. I know there is information on this website (and probably google) that could tell me how to accomplish this task. However, I wanted to see if my understanding was advanced enough to "do it my way".

Back to hitting the books!

Thanks!

[Sasquatch]

In addition, to making a normal VDI read-only will cause problems on the Guest OS itself. Linux will boot, but with some errors. Windows will flat out BSOD before it even gets the chance to load.