Malware on Wine review

[Chris Robinson]

On Monday 23 February 2009 5:14:20 pm Marcel Partap wrote:
> The problem would be with one of the more common use case: trying to
> start/install a program from an optical disc. The files will not be
> marked +x and the directories not be writable.

They're +x for me. They're not writable, but they don't need to be.

Maybe if you mount the disc with the noexec option the files aren't +x, but 
that's exactly what's supposed to happen.. prevent execution of programs on 
the mounted filesystem. The same issue would exist if the user had a CD with 
Linux programs on it. Why should Wine deliberately side-step such a security 
feature? Just because it's an exe loaded by Wine instead of loaded directly by 
the system shouldn't change what happens, IMO.

> Despite from the install-from-cdrom issue, few users that have (been)
> switched from windows to linux will know how to chmod +x a file, so
> wine would at least have to give them a hint (or even a button) to do
> it.

I don't think Wine needs to bring up a button. It's easy enough to say to run 
chmod +x, and it's possible to say how to do it in the file manager (right-
click the exe->Properties->Permissions, select that it's executable; I don't 
imagine it's too different across the default file managers).

If the user goes through the trouble of explicitly marking the exe as 
executable, then it's on their hands. Ignoring the executable flag or using a 
passive click-through dialog is an accident waiting to happen.

> Maybe a better solution would be to introduce an optional dependency
> on ClamAV and tight integration with it - known malware could be
> filtered and distributors would have greater interest in contributing
> to continuous  ClamAV signature updates..

I don't think it's Wine's place to save users from themselves. However, it 
should be Wine's place to honor basic system security options the user has 
set, and not double-guess them.