Security of WINE and ReactOS: was Documents and settings

Shachar Shemesh wine-devel at shemesh.biz
Sun Apr 18 01:49:24 CDT 2004 

Joshua Walker wrote:

>From futzing with
>an XP box at work, I don't see any real obvious way of
>locking down permissions on files and such. Right
>click/properties on a file gives me the same tierd DOS
>flags that haven't changed since DOS 3.0
>
I've allowed myself to change the order of quotes a little. Sorry.

Joshua - your work XP was installed on FAT filesystem. If it were NTFS, 
you would have had a list of ACLs (Access Control Lists). This is a list 
that says "A can do this, B can do that, C is not allowed to do those" 
etc. It gives 100% granularity on what each entity can or cannot do, 
with each file, registry entry and device in the system. This, I 
believe, is what triggered Steven to say:

>The unix security design of users and groups with
>permissions is not
>bad its just outdated.
>
Of course, Steven is, in my very humble opinion, dead wrong here. 
Windows' security model is a gross violation of KISS (keep it simple, 
stupid). Granularity is set so high, it is practically impossible to 
actually get anything configured. When was the last time you saw ANY 
windows program installer that changes the file permissions in any way? 
Last I checked, the standard installshield and wise template builders 
didn't even have an option to do that! In other words, we should not 
aspire to bring Window's security model into Linux. All the Windows 
security model did was cause every single user on the system to be an 
administrator. Having said that, we are left with Joshua's question

>The question is quite intresting. How does one
>"translate" a security philosophy? Do we want to give
>WINE the ability to hijack wsock32.dll?
>(wsock32.dll.so) This is often done with ISP
>proprietary installers, *COUGH*-AOL-*COUGH*, and
>various spyware apps.
>
>Has this been considered?
>  
>
Here is my answer:
At the moment, Wine is only aimed at single users installations. As long 
as that is the case, each wine user is an "Administrator" over his own 
fake-root wine installation. I don't see that changing.

I do want to see wine evolving into a (Linux) system wide installation, 
at which point security will have to come into play. I did post one idea 
on how to do that at 
http://www.kerneltraffic.org/wine/wn20030328_163.html#5, and in 
particular at 
http://www.winehq.com/hypermail/wine-devel/2002/10/0654.html (October 
2002!).

IMHO, the idea should be to bring Unix simplicit permissions to the 
Windows world, at least for the Unix installations of Wine. Reactos may 
well legitimately want the full blown stuff, with all the security 
problems that come with it. This means that we do translate the Posix 
users and groups into ACLs, but we do not necessarily do it the other 
way around. Let's not forget that the purpose of Wine is to bring 
Windows apps into the Unix/Linux world, not to change Unix/Linux itself.

          Shachar

-- 
Shachar Shemesh
Lingnu Open Source Consulting
http://www.lingnu.com/

More information about the wine-devel mailing list