ptrace, pokerstars and Ubuntu 10.10

Jerome Leclanche adys.wh at gmail.com
Sun Sep 12 16:51:29 CDT 2010


Eric proposed a solution in this bug:
http://bugs.winehq.org/show_bug.cgi?id=24193


J. Leclanche



On Sun, Sep 12, 2010 at 11:35 AM, Michael Fox <415fox at gmail.com> wrote:
> Another possibility I'd like to suggest for fixing this in wine,
> though maybe more extreme, is to make wine a setuid program and use
> setuid in server/ptrace.c
>
> The reason to do this is that there is certain other functionality
> necessary for implementing the windows API that is almost impossible
> without setuid. For example the linux program 'ping' needs to be a
> setuid program. I can't see how you could ever implement the Microsoft
> ICMP API in wine unless wine has setuid.
>
>
> On Sun, Sep 12, 2010 at 3:24 AM, Michael Fox <415fox at gmail.com> wrote:
>> Hi all,
>>
>> There's a problem running wine under the new Ubuntu 10.10 (Maverick).
>> They have enabled kernel security to prevent processes from using
>> ptrace. This affects any wine programs which use ptrace which is
>> surprisingly common. For example I found this bug because PokerStars
>> wouldn't connect to the network.
>>
>> I have filed this as a bug with Ubuntu, but they might choose not to
>> fix it depending on how committed they are to this new security
>> measure. It is filed as:
>>
>> https://bugs.launchpad.net/ubuntu/+source/wine1.2/+bug/636278
>>
>> There is a simple workaround and it is to add the ptrace capability to
>> wineserver using the command:
>>
>> sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
>>
>> I tried to submit this as a bug for wine, but it was closed because
>> the maintainer felt there was nothing the wine people could do about
>> the way Ubuntu sets their security. I would like to make the following
>> suggestions:
>>
>> 1. Add a winetricks trick to fix wine on Maverick by executing: "sudo
>> apt-get install setcap; sudo setcap cap_sys_ptrace=eip
>> /usr/bin/wineserver"
>>
>> 2. Add an error message in wine when ptrace fails with error EPERM.
>> This message should suggest the winetrick so the user will find it
>> quickly. In my case it took quite a while to figure out exactly what
>> was going wrong because there is no more terminal output when ptrace
>> fails than when it succeeds.
>>
>>
>>
>> --
>>
>> -
>> Michael
>>
>
>
>
> --
>
> -
> Michael
>
>
>



More information about the wine-devel mailing list