Wanted: small C program to drop all capabilities but cap_sys_ptrace

Scott Ritchie scott at open-vote.org
Wed Sep 29 09:53:16 CDT 2010

On 09/29/2010 07:12 AM, Alexandre Julliard wrote:
> Scott Ritchie <scott at open-vote.org> writes:
>> Ubuntu 10.10 is coming out soon, and its new kernel settings prevent
>> Wine apps from looking at each others' memory.  This breaks World of
>> Warcraft, among other things.  See:
>> http://bugs.winehq.org/show_bug.cgi?id=24193
>> What's needed is a very small shim for Wine that can be setuid 0, but
>> then release all capabilities except what Wine actually needs -- what a
>> normal user has, and cap_sys_ptrace.
> I don't think that's a good idea. CAP_SYS_PTRACE allows access to any
> process, so it's a lot more dangerous than the standard ptrace checks
> that Ubuntu decided to break. Going back to the default behavior is
> probably safer than making Wine setuid...

Unfortunately the default behavior can only be set globally, so that
leaves me with:

1) make installing the package cause the global change
2) the above idea
3) do nothing

I'm not sure which is worse, although I know doing nothing breaks a lot
of apps.  The long term solutions are described at the bug however.

It would be rather nice if there were a cap_sys_ptrace that were at
least restricted to other processes owned by that user...

More information about the wine-devel mailing list