icmp states I need to be running wine as root
Saulius Krasuckas
saulius2 at ar.fi.lt
Sat Dec 29 14:24:56 CST 2007
* On Sun, 21 Oct 2007, Juan Lang wrote:
>
> > Isn't there another way to do this than with SOCK_RAW, or having to
> > run wine as root?
>
> In answer to your second question: yes, modify the Linux kernel not
> to have such restrictions.
Well, there are already patches which modifies it in one way or another.
I refer to "man 7 capabilities" or web resources [1]-[3]. Some of
approaches may be abandoned already, but I see recent discussion [4] on
this and by [5] I judge SELinux already can handle this task.
Plus, I have found some recently updated tool called "Filesystem
capabilities for linux" which also is not POSIX compatible (and so were
old capabilities implementation for linux kernel):
| With this patch, you will be able to grant selective privileges to
| executables on a needed basis. This means for some executables, there is
| no need anymore to run as root or as a suid root binary.
|
| For example, you may drop the SUID bit from ping and grant the
| CAP_NET_RAW capability:
|
| # chmod u-s /bin/ping
| # chcap cap_net_raw=ep /bin/ping
If this is acceptable solution, then it probably would be nice for Wine to
have separate binary for every needed capability. CAP_NET_RAW (for ICMP),
CAP_SYS_RAWIO (for IO ports) and CAP_SYS_NICE (for threads priority) comes
to mind.
This plan is to don't force users to give the bunch of capabilities to the
main Wine binary (or even several of them) at once (so the security risk
should be increased in a minimal way). But well, that could be a minor
nuance for such users.
[1] http://www.securityfocus.com/infocus/1400
[2] http://lwn.net/Articles/79185/
[3] http://lwn.net/Articles/199004/
[4] http://lkml.org/lkml/2006/9/18/100
[5] http://lwn.net/Articles/79208/
[6] http://www.olafdietsche.de/linux/capability/
More information about the wine-devel
mailing list