File-level write protection in shared folder

[db-inf]

My setup is a Ubuntu Xenial host and a Windows XP guest. A set of Windows programs is stored in a directory tree on the linux disk, so that I can

• * manage the lot in my host
  * execute (some of) these programs under wine, often with some limitations
  * execute them in a Windows VM via VirtualBox shared folder as well

I succeeded in giving this directory tree the same drive letter in wine as in the Windows VM, so that the programs can share their configuration files, which is usefull for various reasons. I can now execute most programs in wine to have a quick look at something, or start a VM to do more complicated work with them.

In Windows I had a very successful protection scheme, by setting permissions at the file level. All directories with executables or libraries in them were write-protected, except for the occasional configuration file. And all files in writable directories had a no-execute file permission (forgot the English word for it). I am now trying to find the equivalent for this setup.

To my surprise a file in a shared folder that I chmodded to read-only, could be written to from the VM (even without explicitely removing the read-only flag in the VM itself). Other surprises may be lurking in a corner, and that is why I would like to have confirmation that this is a good protection scheme for my new setup :

• * the shared folder is read/write (because of the configuration files that some programs write to on every execution)
  * all directories in the directory tree are read/execute, no write. This prevents a rogue Windows program (or my thick fingers) to delete any file in it, or even the complete directory (which happened yesterday, I love backups)
  * all files in the directory tree are owned by another user (for the moment root) than the one executing the VM, and not writable by 'other', so that no files can be infected by well written virusses or badly written applications.
  * exception is made for a number of configuration files: these ARE writable by 'other'

[Martin]

Don't rely on shared folders if you need to use advanced features like access control.
Shared folders are only implemented with very limited features, just for copying files between guest and host.

[db-inf]

@Martin
I appreciate your advise, but shared folders are very usefull to avoid duplication. Duplication inevitably leads to synchronization problems and to overloading backup procedures and space.

So I'll go with shared folders as far as I can. My old Windows rig lasted 15 years without problems, thanks to the effort I put into it at the beginning. If I can repeat that, it may last to near the end of my usefull life.

[mpack]

shared folders are very usefull to avoid duplication

True, but that doesn't affect the answer given.

If GA shared folders don't suit your needs then configure a true network share instead.

And do remember that a shared folder is showing you files belonging to another PC. A shared folder is not a disk drive, it's just a file transfer protocol with a directory-like presentation.

[db-inf]

If GA shared folders don't suit your needs then configure a true network share instead.

I will do that, but for the moment I am trying to make shared folders suit this one need. For other needs I indeed use network shares already.

And you too are thanked for your contribution, but I would still welcome an answer to my question, instead of advise on why I should not have that question.

[socratis]

The answer I'm afraid has been given quite clearly. The problem is that you don't like the answer.

It's like you're telling me "I want to have security descriptors, user/group ownership on a FAT32 filesystem". The answer would be the same; can't do.