[Wine] Re: Limiting the execution of Wine to allowed programs

kerry456 wineforum-user at winehq.org
Fri Jan 13 04:51:15 CST 2012 

Pavel Troller wrote:
> 
> > My uncle has these kids who messed up their Windows computer on a monthly basis by going to unsafe websites.  So I had to fix it for them, multiple times.  There was a time when I went on strike, but because of the family I was "forced" into fixing it.  Lots and lots of hours wasted on fixing their computer problems and still they don't learn their lesson.
> > 
> > So, the past few months I changed them to Kubuntu.  No viruses since and no reinstalls done for a long while :D  Then a few days ago I found Linux Mint.  Loved it and am in the process of switching them over.  But there are a few games that I'd like to get working for them (they are die-hard sonic fans :) ).  No problem since I already got them working.
> > 
> > The issue I have with Wine is that, unlike before or I never noticed, every executable that Mint sees can be executed.  I don't want that.  Those kids like to download random executables and install them.
> > 
> > So, if I could prevent wine from running all the exe files except for the three games that I installed, like have some kind of allow list, then it would be perfect.  How do I go about doing this?
> > 
> > 
> Hi!
> I think it might be done by the following trick with file permissions:
> 1) Create a special user in the system (say, wine), including its home 
> directory. This directory must be unwritable, but readable/executable
> by other users.
> 2) Setuid wine binary to that user
> 3) Possibly create a wrapper script which will be started instead of the
> wine binary and it will set proper WINEPREFIX first and then call the
> binary
> 4) Install all the wanted binaries to that WINEPREFIX (which will reside
> in the wine home directory)
> 5) Manage wine dosdevices to disallow wine to see the root filesystem, let
> it see just its home directory and virtual C: drive
> Because of this setup, the kids will not be able to write to the wine home
> directory. The exception is, that wine itself will be allowed to write there
> (which is necessary for most windows programs), so be sure that there is no
> tool installed in wine which allows to download things (like IE, wget or
> similar).
> I hope it will work. I didn't test it, but according to the principles of
> Unix permission system, it should be OK.
> 
> Regards, Pavel



I was not having any idea about this. You really have great tricks.

Thanks for sharing these here.

__________________________
iPhone apps development (http://smartphonesoftwareinc.com/iphone-application-development.html)

More information about the wine-users mailing list