icmp states I need to be running wine as root

Saulius Krasuckas saulius2 at ar.fi.lt
Sat Dec 29 14:24:56 CST 2007

* On Sun, 21 Oct 2007, Juan Lang wrote:
> > Isn't there another way to do this than with SOCK_RAW, or having to 
> > run wine as root?
> In answer to your second question:  yes, modify the Linux kernel not
> to have such restrictions.

Well, there are already patches which modifies it in one way or another.  
I refer to "man 7 capabilities" or web resources [1]-[3].  Some of 
approaches may be abandoned already, but I see recent discussion [4] on 
this and by [5] I judge SELinux already can handle this task.

Plus, I have found some recently updated tool called "Filesystem 
capabilities for linux" which also is not POSIX compatible (and so were 
old capabilities implementation for linux kernel):

|  With this patch, you will be able to grant selective privileges to 
| executables on a needed basis. This means for some executables, there is 
| no need anymore to run as root or as a suid root binary.
| For example, you may drop the SUID bit from ping and grant the 
| CAP_NET_RAW capability:
|     # chmod u-s /bin/ping
|     # chcap cap_net_raw=ep /bin/ping 

If this is acceptable solution, then it probably would be nice for Wine to 
have separate binary for every needed capability.  CAP_NET_RAW (for ICMP), 
CAP_SYS_RAWIO (for IO ports) and CAP_SYS_NICE (for threads priority) comes 
to mind.

This plan is to don't force users to give the bunch of capabilities to the 
main Wine binary (or even several of them) at once (so the security risk 
should be increased in a minimal way).  But well, that could be a minor 
nuance for such users.

[1] http://www.securityfocus.com/infocus/1400
[2] http://lwn.net/Articles/79185/
[3] http://lwn.net/Articles/199004/
[4] http://lkml.org/lkml/2006/9/18/100
[5] http://lwn.net/Articles/79208/
[6] http://www.olafdietsche.de/linux/capability/

More information about the wine-devel mailing list