[Bug 48889] Debian packaging: set cap_net_raw to allow sendings ICMP packets

Fri Apr 10 09:31:05 CDT 2020

https://bugs.winehq.org/show_bug.cgi?id=48889

--- Comment #14 from Luca Boccassi <luca.boccassi at gmail.com> ---
(In reply to oiaohm from comment #10)
> > For some users, like yourself, adding net_raw might be a step too far - then
> > you are of course free not to enable it. I'm fine with having it off by
> > default, that's not a concern really. It can even be a low priority debconf
> > option, so nobody will see it unless they go look for it. Other users for
> > whom the distinction is perfectly meaningless can instead choose to enable
> > it and have working applications.
> 
> Really this is your ignoring the problem.

Thanks for the (unsolicited) curriculum, but I'm afraid the only actual, real
problem being ignored is that users are silently running a configuration that
is unsafe, and that causes them to get their accounts banned, incurring in very
real tangible and even monetary losses. So, in reality, the only software
acting as malware on my machine right now is wine itself.
Fortunately someone already documented this broken behaviour in the
applications DB pages, to help limit the damage. Unfortunately the workarounds
are not "sticky" due to the nature of packages and file-based capabilities -
which means at best users could be pinning the versions and avoiding updates,
at worst the malware-like behaviour gets reintroduced without notice. Trying to
be a good citizen, I thought of sharing a more durable workaround that doesn't
require pinning, is a one-time configuration and is still under the developers
control.

Of course you are absolutely free to hold off and instead spend another 13
years (the original bug, linked earlier, was opened in 2007) looking for a
perfect solution to all hypothetical problems - I wish you the of best luck in
your endeavours.

In the meantime, I'll share another solution which, unlike the packaging
changes, is 100% under the control of users, while still being a one-time
change:

$ cat /etc/dpkg/dpkg.cfg.d/wine-setcap 
post-invoke=if { test "$DPKG_HOOK_ACTION" = configure; } && test -f
/opt/wine-staging/bin/wine-preloader && ! /sbin/getcap
/opt/wine-staging/bin/wine-preloader | grep -qs "cap_net_raw"; then
/sbin/setcap "cap_net_raw=epi" /opt/wine-staging/bin/wine-preloader; fi
post-invoke=if { test "$DPKG_HOOK_ACTION" = configure; } && test -f
/opt/wine-staging/bin/wine64-preloader && ! /sbin/getcap
/opt/wine-staging/bin/wine64-preloader | grep -qs "cap_net_raw"; then
/sbin/setcap "cap_net_raw=epi" /opt/wine-staging/bin/wine64-preloader; fi
post-invoke=if { test "$DPKG_HOOK_ACTION" = configure; } && test -f
/opt/wine-staging/bin/wineserver && ! /sbin/getcap
/opt/wine-staging/bin/wineserver | grep -qs "cap_net_raw"; then /sbin/setcap
"cap_net_raw=epi" /opt/wine-staging/bin/wineserver; fi

Unfortunately dpkg hooks are rather blunt tools - they run on every single
action for every single package, which is truly icky. But it still beats losing
accounts and money.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.