[Wine] Limiting the execution of Wine to allowed programs

Pavel Troller patrol at sinus.cz
Sun Jan 8 22:42:54 CST 2012 

> My uncle has these kids who messed up their Windows computer on a monthly basis by going to unsafe websites.  So I had to fix it for them, multiple times.  There was a time when I went on strike, but because of the family I was "forced" into fixing it.  Lots and lots of hours wasted on fixing their computer problems and still they don't learn their lesson.
> 
> So, the past few months I changed them to Kubuntu.  No viruses since and no reinstalls done for a long while :D  Then a few days ago I found Linux Mint.  Loved it and am in the process of switching them over.  But there are a few games that I'd like to get working for them (they are die-hard sonic fans :) ).  No problem since I already got them working.
> 
> The issue I have with Wine is that, unlike before or I never noticed, every executable that Mint sees can be executed.  I don't want that.  Those kids like to download random executables and install them.
> 
> So, if I could prevent wine from running all the exe files except for the three games that I installed, like have some kind of allow list, then it would be perfect.  How do I go about doing this?
> 
Hi!
  I think it might be done by the following trick with file permissions:
  1) Create a special user in the system (say, wine), including its home 
     directory. This directory must be unwritable, but readable/executable
     by other users.
  2) Setuid wine binary to that user
  3) Possibly create a wrapper script which will be started instead of the
     wine binary and it will set proper WINEPREFIX first and then call the
     binary
  4) Install all the wanted binaries to that WINEPREFIX (which will reside
     in the wine home directory)
  5) Manage wine dosdevices to disallow wine to see the root filesystem, let
     it see just its home directory and virtual C: drive
  Because of this setup, the kids will not be able to write to the wine home
directory. The exception is, that wine itself will be allowed to write there
(which is necessary for most windows programs), so be sure that there is no
tool installed in wine which allows to download things (like IE, wget or
similar).
  I hope it will work. I didn't test it, but according to the principles of
Unix permission system, it should be OK.

  Regards, Pavel

More information about the wine-users mailing list