Wanted: small C program to drop all capabilities but cap_sys_ptrace
Michael Stefaniuc
mstefani at redhat.com
Wed Sep 29 08:42:00 CDT 2010
On 09/29/2010 03:14 PM, Scott Ritchie wrote:
> Ubuntu 10.10 is coming out soon, and its new kernel settings prevent
> Wine apps from looking at each others' memory. This breaks World of
> Warcraft, among other things. See:
> http://bugs.winehq.org/show_bug.cgi?id=24193
>
> What's needed is a very small shim for Wine that can be setuid 0, but
> then release all capabilities except what Wine actually needs -- what a
> normal user has, and cap_sys_ptrace.
Pardon my ignorance but why is Ubuntu restricting the ptrace'ing of
processing belonging to the same uid?
> On an Ubuntu system, this is very similar to what DHCP and PING do --
> setuid 0, however they drop all privs except cap_net_rawio at the start.
> Existing code can be used:
> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/dapper/dhcp3/dapper/annotate/head%3A/debian/patches/droppriv.dpatch
> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/dapper/dhcp3/dapper/annotate/head%3A/debian/patches/deroot-client.dpatch
>
>
> Basically, I need someone to write this shim for me. The long term
> solution is probably to just package Wine such that the wine binary
> itself has cap_sys_ptrace, however currently Ubuntu has no support for
> this kind of extended attribute in the packaging system so workarounds
> like the above for DHCP need to be done. I suspect other distros have
> similar issues.
Doubt that Fedora has that problem as they are using SELinux to restrict
what processes can do. There is a policy for Wine and rpm supports the
setting of the correct SELinux context on rpm installation/upgrade time.
bye
michael
More information about the wine-devel
mailing list