[Wine] Re: binding to privileged Linux ports (<= 1024)

Sat Feb 6 19:18:27 CST 2010

I have done support for over 8 years on wine Martin Gregorie.  Unless I stuff up in my advice developers mostly don't chip in.

<b>This is the problem you turn CAP_NET_BIND_SERVICE on wine too many thing also get access to that permission. Things you many not want having access to that permission.</b>

I should have been more direct.  Capabilities set on wine do inherit threw.   Wine is coded that way.   CAP_NET_BIND_SERVICE is required so a few game servers work from wine.   This is only done if there is no native version of that game server as well.  Risks are too high to be doing it out of lazyness.

Biggest problem with CAP_NET_BIND_SERVICE is that it exists to prevent conflits and secuirty breaches.  Like a user running there own dns server and over riding the system dns server so allowing man in middle attack.  Basically lot of services using under 1024 are critical services for secuirty.

Using capabilities when you should not be opens up whole stack of problems.   Number 1 wine does not have user separation so unless you are really really careful items that should not have it get it. 

Problem here Martin Gregorie what mc2718 is asking todo.  Is not safe or highly costly on system resources.  There is no valid reason to be doing it.  

There is a good invalid reason pure lazyness.  I don't care if I screw up system I just want it to work now. 

Basically mc2718 or anyone else us capabilities without valid grounds if your system ends up developing lots of strange problems don't complain to us.  You would have brought it on yourself. 

Its the same policy we have for people running as root without grounds.  There are no valid reason ever to run wine as root on Linux.  There are some platforms where there is no other option in some case to use root with wine ie no capabilities to hand out permissions.

There are some valid reasons to use capabilities with wine on Linux but they are strictly limited. 

Ie Policy of wine support.  You use your alter you OS secuirty without valid reason you are on your own.

Beaware everyone wine can run some windows viruses and other harmful programs.  If these risks did not exist caps most likely would have been granted off the start line.