Wine securityflaw: Protect against root
p_christ at hol.gr
Sun Oct 27 07:13:26 CST 2002
> Peter Andersson <kanelballe at softhome.net> writes:
> > The question is...Would you expect that damage from running a windows app
> > in wine, when you know it could be safely run in Windows?
> > In just a few embedded bytes in the code it could remove your home
> > directory in a single syscall. Would you expect that? - I wouldnt.
> You should. If you run untrusted code under your account it can do
> anything that you are allowed to. This is exactly equivalent to
> running an untrusted Linux app. From a security standpoint there is
> absolutely no difference between a Windows binary running under Wine
> and a Linux binary running natively.
> You can use the DOS drive configuration to limit the potential
> problems a bug in a Windows app can cause; but it is impossible to
> protect against malicious code except by not running it. Wine is not,
> and cannot be, a sandbox for running untrusted code.
> > Cant we atleast try implement some protection in wine against these
> > attacks, before something really nasty happens.
> No, we can't.
I really agree that wine is safe enough.
However, we should always remember that wine is bound to be used by former win
users, who may have no concern about security. I often hear about people
running wine as root or mapping '/' to a wine drive.
I think that the wine code should protect the system from such _users_!
Here is what I would do:
Write a segment of code that will abort wine, if it is run as root (that is,
just before wine starts anything). This piece of code should only be
explicitly disabled in the 'configure' script. That way, only a
wine-developer will be able to cause wine to run as root. It has to be that
hard to do so.
We should then stop hearing claims that 'wine is unsafe'.
More information about the wine-devel