Write protect .vbox Config-Files

[de-ramon]

Hi,

in order to build a "bullet-proof" VM for some kids I'd like to write-protect the users vbox-File (I disabled there USB and modified Network).

The host is Debian Wheezy. Using chmod and chown to change the permissions to root:root and 444 is useless, because after restarting the VM the file is set to user:user 600....

So how to set permanently root:root 444 to set the files to read-only and protected them from being changed by the bad bad users?

It seem that the main problem is vBox running as root läuft (104511 root:root VirtualBox - suid)....

Ralf

[mpack]

VirtualBox needs to be able to write to it's config files, so they can't be made read only.

Anyway IMHO that is the wrong approach. Nothing along those lines would provide real protection. Real protection against accidental damage to data comes from making a backup copy.

[de-ramon]

Hi mpack,

I want to make the user not to break out of the VM (not network, no USB, no Clipboard, no comport, nothing). Just use the vm and the program and that's it. This can be done by editing the config.

But the user can edit the config, too. And I don't know how to come along, without doing an "overkill" remote VM with vrdp to the machine of the user. But than I've to buy VirtualBox because of vrdp used by differnt user.

Ralf

[noteirak]

What you are trying to do is currently not supported by Virtualbox, and I don't know a way to go around it. As you say, the main Virtualbox process runs as root, so anything can be done by it, regardless how much you try to limit it.