Security of WINE and ReactOS: was Documents and settings

Robert Shearman R.J.Shearman at warwick.ac.uk
Sun Apr 18 07:48:16 CDT 2004 

P. Christeas wrote:
>
> Just my humble opinion on this:
> 1. One reason Unix security model is still around is that it is
> simple. ACLs
> and such need more administration and are more likely to be
> configured wrong.

That is absolutely true. Plus it is much easier to see who has what
permissions in the Unix model. It gets even worse with ACLs when you have
SMB share permissions as well. You can't tell very easily what the effective
permissions are for each user.

> Unix, on the other hand, is compulsory (you *have* to set the permissions
> everywhere) and simple. In modern kernels (I use 2.6) you can
> also have more
> detailed permissions (ACLs, capabilities etc.) but they don't seem to be
> popular..
> 2. Wine now runs in userspace, needing no privileges to operate.
> That's great
> because it protects itself both from bas win32 apps and bugs Wine
> may have.
> If it needed to obtain more system power, it would have to be in
> rootland. I
> wouldn't feel comfortable knowing that a win32 app runs on my system with
> some kind of root privileges.

I don't feel comfortable running any non-essential programs as root or
Administrator. I certainly don't run Internet Explorer or Outlook as
Administrator.
However, I think Wine will have the capability to host Windows services in
the near future and they may need to be run as root.

> 3. There is a certain tradeoff between letting those
> permission-hungry apps (I
> recently came across an app that wanted to form its own ICMP packets) and
> being secure.

That is exactly the situation SELinux is suited for. It has an even finer
grained control of privileges than Windows and would allow you to grant the
user a limited set of "root" privileges that are needed for it to complete
its task without giving the user the ability to write to '/'.

> IMHO restricting userspace apps is one reason Unix
> is secure
> (eg. no programmer will try to write an app that stores its data at '/'
> catalog, win apps may require write to 'C:\' or 'C:\windows\').

No programs that write to 'C:\' or 'C:\Windows' would be installed by me on
my own machine or on the company networks I have worked on. No programmer on
Unix or Windows (in this day and age) should assume that it can write
anywhere but the user's home directory. From a security model perspective
Unix and Windows NT have the same level of security. Where they differ in
security is that Windows tends to have so much more code exposed to
potential attackers compared to most Unix systems.

> I prefer
> being secure.


Rob

More information about the wine-devel mailing list