[Wine] How to avoid users installing any Windows programs

Martin Gregorie martin at gregorie.org
Sat Nov 6 13:59:34 CDT 2010 

On Sat, 2010-11-06 at 05:57 -0500, and78386 wrote:
> So there seems to be no way or rather no easy way to prevent the users to go to download.com to install some crap freeware in Wine?
> 
> That's bad because it would annul the whole security concept i've configured for the non-admin users on my machines.
> 
> So Wine seems to be no option in secure multiuser environments?
> 
How about this? 

It requires a little programming but that can be done in almost any
language: C, Java, Perl or Python:

- move the wine executable to a different directory. Lets call it
  /var/lib/.wine so the wine executable's path is /var/lib/.wine/wine
  and, because of the dot, this won't appear in normal directory
  listings

- write a program called wine and put it in /usr/bin in place of the
  original wine. This program will accept the usual wine command line
  arguments and pass them to /var/lib/.wine/wine for execution along
  with the environment variable set. However,
  before doing that it checks the first argument (the program name)
  to see if its been authorised. To do this to check authorisation:
  1) if the program name contains slashes or back slashes discard
     everything up to and including the last slash or backslash, i.e.
     .wine/drive_c/Program Files/Myapp/app.exe and 
     c:\Program Files\Myapp\app.exe  would both convert to app.exe
  2) if the program name doesn't have an extension, add .exe
  3) look this up in the authorised programs list, say
     /var/lib/.wine/authorised.txt

  If the program isn't authorised tell the user that it won't be run
  and that the administrator will be informed. Send an e-mail to the 
  administrator reporting the full program name and who was trying it
  on.

=====
Another idea is to run a shell script under root every hour to scan
the /home and /tmp directories, as well as any other places that your
users have write access to, for unauthorised programs. If any are found
the script can e-mail details to the administrator and/or delete the
programs. This could be written as a shell script and dropped into the
cron.hourly job. I'd use either find and awk to do the scan or simply
write the lot in Perl or Python.

If you go with the first idea this would be a backup and would use the
same authorised program list. Otherwise its list can simply be put
in /usr/local/etc and, if it is owned by root and only root has read and
write access a miscreant can't alter or inspect it. Same goes for the
cron script.


Martin

More information about the wine-users mailing list