[Wine] How to avoid users installing any Windows programs

Martin Gregorie martin at gregorie.org
Fri Nov 5 10:01:44 CDT 2010 

On Fri, 2010-11-05 at 09:21 -0500, doh123 wrote:
> make a launcher program called wine that is used to launch the program
> you want.. that only allows the one you want to be run... anything
> else will not run.  It will launch by using some other file you've
> somehow hidden as the executable for wine... renaming wine to
> whatever, maybe a hidden file, or something unsuspecting.
>
There's a relatively simple way to do that, which doesn't require wine
to be renamed, by changing the default PATH definition, though it can be
gotten round in exactly the same way as doh123's plot can be
circumvented:

- create a shell script called wine (details below)
- put it in a directory by itself, e.g. /usr/local/wbin
- change the default search path so this is always the first directory
  to be searched. The search path is set up in /etc/profile. In this
  cast you'd add

	pathmunge /usr/local/wbin

  to /etc/profile after the last pathmunge call but before the 
  'unset pathmunge' line.

This means that anybody running 'wine' will always execute your script
and 'which wine' will report your script too. The 'wine' script can be
something as simple as:

#!/bin/bash
shift 
/usr/bin/wine permitted_program $*

which will discard the first argument, assumed to be the program name,
and pass the remaining arguments to the program you want it to run. Put
anything else you need to run the permitted program, such as 'export
WINEPREFIX=...' or cd commands, between 'shift', which discards the
first argument, and the line that runs wine. 


Martin

 





>   If anyone tries the wine command it'll actually be using your custom
> launcher program instead of the real wine executable.  Anyone who
> finds out what the real wine executable is named will be able to use
> it though.... unless you purposefully make it where it cannot run
> because it cannot find its libraries unless its launched a certain
> way, which you have in your custom launcher program (which can't be a
> plain text script or they can just read it easy).  That can still be
> figured out by enterprising users if they really want to.  I cannot
> think of any 100% sure way to prevent the "wine" command from being
> used as it was designed to be used.
> 
> 
> 
>

More information about the wine-users mailing list