Prevent user@dom0 to create or remove template

[mdasil...@gmail.com]

Hello,

I would create few template of VM for forensic, personal, ....
Once I have create this template, I wouldn't the user@dom0 will can create or remove other vm. The only vm of the user can create or remove is based on a vm template created before.
I want the root user is the only user to create different vm.

thanks you for your help, max

[Unman]

Hello max,

The default Qubes setup doesn't differentiate between user and root -
for a rationale look here:
www.qubes-os.org/doc/vm-sudo

Also, Qubes isn't a multi-user OS.

So what you are asking for requires substantial changes to the default
Qubes set-up.
You will find instructions on that page on disabling password-less sudo.
This would be a first step.
Then you would need to change permissions on the qubes/templates and
make sure that your new user had at least read access to the templates
and no access to the Qubes dom0 tools.

None of the attendant problems are insurmountable, and there are some
users who have claimed to be able to get a multi-user system working.
But it isn't imo a genuine multi-user system and has a pretty thin veneer
of added security.

Try it by all means - you'll hit permissions problems for sure, and you
should be able to work around them.

If all you want to do is create a simple Qubes where users aren't likely
to break things, it's much easier to do this.
First stop manager from starting.
Create a custom menu with only a few qubes and few shortcuts.
Remove all the template menus and system menus.
Change the "desktop menu" to restrict options available to those same
qubes and shortcuts.

unman