Wanted: small C program to drop all capabilities but cap_sys_ptrace

Scott Ritchie scott at open-vote.org
Wed Sep 29 08:14:53 CDT 2010

Ubuntu 10.10 is coming out soon, and its new kernel settings prevent
Wine apps from looking at each others' memory.  This breaks World of
Warcraft, among other things.  See:

What's needed is a very small shim for Wine that can be setuid 0, but
then release all capabilities except what Wine actually needs -- what a
normal user has, and cap_sys_ptrace.

On an Ubuntu system, this is very similar to what DHCP and PING do --
setuid 0, however they drop all privs except cap_net_rawio at the start.
 Existing code can be used:

Basically, I need someone to write this shim for me.  The long term
solution is probably to just package Wine such that the wine binary
itself has cap_sys_ptrace, however currently Ubuntu has no support for
this kind of extended attribute in the packaging system so workarounds
like the above for DHCP need to be done.  I suspect other distros have
similar issues.

Scott Ritchie

