Wine on OLPC

Benjamin M. Schwartz bmschwar at fas.harvard.edu
Sat Apr 12 10:37:07 CDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ove Kaaven wrote:
| Benjamin M. Schwartz skrev:
|> I'm particularly surprised because I cannot imagine any reasonable
|> scenario in which allowing non-root users to run in .wine/ directories
|> that they do not own is a security risk.  There is no privilege escalation
|> here; the non-root user is still required by the kernel to operate within
|> the bounds of posix permissions.
|
| That's not quite correct. If user B can run user A's installation of
| Wine, then user B can easily install some script or program that gets
| executed automatically (wineboot) the next time user A runs Wine; from
| there, user B can gain unlimited access to user A's account. (Or,
| perhaps, vice versa.)

My home directory is not world-writable.  Is yours?

|
| I think that's not really the point of the check, though. Perhaps more
| problematic is probably that if user B runs user A's Wine, then files
| written (registry included) might become owned by B, with the result
| that next time user A wants to start Wine, it can't access them. (The
| most frequent problem here is the one when user B called "root", but not
| necessarily.)

This only works if one user is root; otherwise (under any normal unix
permissions setup) multiple users do not have write access to each other's
.wine/ directories.

|
| And of course, if user A and user B happens to run Wine
| *simultaneously*, they're going to overwrite each other's files and end
| up with a broken Wine installation.

That is definitely an interesting problem, as noted in the very
comprehensive bug #11112.  The suggested solution of introducing a
lockfile does seem appropriate; it's how every other unix application
solves this problem.  In my case, I have external mechanisms to ensure
that multiple instances of wine are never running simultaneously.

|
|> I need the ability to run in profiles as a user who is not the "owner" of
|> the files on disk.  I am doing this quite specifically because, in my
|> case, this greatly _increases_ the security of the system.
|
| You have a poor understanding of Unix security if you think it's good
| that files and whatever uses them are on different accounts, and if you
| think making a (fake) Windows installation publicly accessible (and
| modifiable) by every other user on the system can possibly be called secure.

I'm afraid there is not space here to describe the Rainbow security
system.  However, I am operating in a special environment in which the
system has a single human user, and unix uid's have been repurposed to
provide software isolation.  I am not, in fact, suggesting making .wine/
publicly accessible.  I am actually using "chmod g+rwx" to make .wine/
available to a particular application, because each application has a
unique gid.  Also, Rainbow uses namespaced bindmounts in such a way that
applications not running with the gid in question cannot even determine
that this .wine/ directory exists.

See http://wiki.laptop.org/go/Rainbow

|
| I'm not sure why you even need to. If you're running Wine as a different
| user, why shouldn't that different user own its own .wine/ directory?

Rainbow works by generating a new uid every time an application is
launched.  Therefore, the second time the same human runs a wine-based
program, it runs under a different uid.  In order to provide continuity of
state, I need to be able to run in a permanent .wine/ despite having a uid
that is constantly changing.

Bug #11112 suggests that it may be possible to solve this problem using
dynamically generated symlinks.  I will try that.

- --Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIANcjUJT6e6HFtqQRAnHdAKCUxI/2HvzfiEjloGjwkcIiZ24ZpACcDBZ+
Cq9UlZY0euM9DHwlmyusyV4=
=C/Un
-----END PGP SIGNATURE-----

More information about the wine-devel mailing list