[Wine] Re: Limiting the execution of Wine to allowed programs
kerry456
wineforum-user at winehq.org
Fri Jan 13 04:51:15 CST 2012
Pavel Troller wrote:
>
> > My uncle has these kids who messed up their Windows computer on a monthly basis by going to unsafe websites. So I had to fix it for them, multiple times. There was a time when I went on strike, but because of the family I was "forced" into fixing it. Lots and lots of hours wasted on fixing their computer problems and still they don't learn their lesson.
> >
> > So, the past few months I changed them to Kubuntu. No viruses since and no reinstalls done for a long while :D Then a few days ago I found Linux Mint. Loved it and am in the process of switching them over. But there are a few games that I'd like to get working for them (they are die-hard sonic fans :) ). No problem since I already got them working.
> >
> > The issue I have with Wine is that, unlike before or I never noticed, every executable that Mint sees can be executed. I don't want that. Those kids like to download random executables and install them.
> >
> > So, if I could prevent wine from running all the exe files except for the three games that I installed, like have some kind of allow list, then it would be perfect. How do I go about doing this?
> >
> >
> Hi!
> I think it might be done by the following trick with file permissions:
> 1) Create a special user in the system (say, wine), including its home
> directory. This directory must be unwritable, but readable/executable
> by other users.
> 2) Setuid wine binary to that user
> 3) Possibly create a wrapper script which will be started instead of the
> wine binary and it will set proper WINEPREFIX first and then call the
> binary
> 4) Install all the wanted binaries to that WINEPREFIX (which will reside
> in the wine home directory)
> 5) Manage wine dosdevices to disallow wine to see the root filesystem, let
> it see just its home directory and virtual C: drive
> Because of this setup, the kids will not be able to write to the wine home
> directory. The exception is, that wine itself will be allowed to write there
> (which is necessary for most windows programs), so be sure that there is no
> tool installed in wine which allows to download things (like IE, wget or
> similar).
> I hope it will work. I didn't test it, but according to the principles of
> Unix permission system, it should be OK.
>
> Regards, Pavel
I was not having any idea about this. You really have great tricks.
Thanks for sharing these here.
__________________________
iPhone apps development (http://smartphonesoftwareinc.com/iphone-application-development.html)
More information about the wine-users
mailing list