Wanted: small C program to drop all capabilities but cap_sys_ptrace

Michael Stefaniuc mstefani at redhat.com
Wed Sep 29 08:42:00 CDT 2010

On 09/29/2010 03:14 PM, Scott Ritchie wrote:
> Ubuntu 10.10 is coming out soon, and its new kernel settings prevent
> Wine apps from looking at each others' memory.  This breaks World of
> Warcraft, among other things.  See:
> http://bugs.winehq.org/show_bug.cgi?id=24193
> What's needed is a very small shim for Wine that can be setuid 0, but
> then release all capabilities except what Wine actually needs -- what a
> normal user has, and cap_sys_ptrace.
Pardon my ignorance but why is Ubuntu restricting the ptrace'ing of 
processing belonging to the same uid?

> On an Ubuntu system, this is very similar to what DHCP and PING do --
> setuid 0, however they drop all privs except cap_net_rawio at the start.
>   Existing code can be used:
> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/dapper/dhcp3/dapper/annotate/head%3A/debian/patches/droppriv.dpatch
> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/dapper/dhcp3/dapper/annotate/head%3A/debian/patches/deroot-client.dpatch
> Basically, I need someone to write this shim for me.  The long term
> solution is probably to just package Wine such that the wine binary
> itself has cap_sys_ptrace, however currently Ubuntu has no support for
> this kind of extended attribute in the packaging system so workarounds
> like the above for DHCP need to be done.  I suspect other distros have
> similar issues.
Doubt that Fedora has that problem as they are using SELinux to restrict 
what processes can do. There is a policy for Wine and rpm supports the 
setting of the correct SELinux context on rpm installation/upgrade time.


More information about the wine-devel mailing list