[Wine] Re: Explain to me how I do not need root?
wineforum-user at winehq.org
Fri Nov 20 10:09:01 CST 2009
James Mckenzie and Stephen Eilert Read what I posted.
Distributions are lazy that simple. There is no need for ping to have a setuid bit.
Ping is not wine. Ping has limited function so limited risk. Wine has the means to do anything.
Appdb is wrong for Linux systems. Only reason for needing root is not knowing about capabilities. Now also beware capabilities is only 1 form of control.
You will find distributions who have ping as setuid root will have the likes of selinux or apparmor or some other LSM taking away the excess power so limiting the access ping has.
Basically running as root not wise. setuid wine with LSM around it kinda ok at least damage is limited. capabilities neater avoid giving the unrequited permissions in the first place so not needing LSM wrapper to keep it way from system core.
Also setuid can app can have subtractive capabilities applied. getcap on file will show these. Its distribution selection if they use LSM or capabilities.
CAP_NET_ADMIN gives all the network powers of root. None of the file-system powers of root.
CAP_NET_RAW is used for ping since its a raw packet
CAP_NET_BIND_SERVICE allows under 1024 port binding.
Simple fact James McKenzie the documenation covering the secuirty is also in the Linux kernel source. That no one bothers reading. Including you. Why bother doing a system backup when simply understanding what is there removes most of the risk.
Google or binging for the solution required you to know that you are looking for capabilities or LSM controls. capabilities are very straight forward.
The appdb is badly wrong. The risks far out way any benefit. setcap is not that big of a orge to use compared to the risks.
http://wiki.winehq.org/FAQ#head-96bebfa287b4288974de0df23351f278b0d41014 To top it off its in the faq people fail to read redirecting you to the capabilities option.
There are other containment options for FreeBSD and Solarias.
More information about the wine-users