[Wine] No C Drive
Austin English
austinenglish at gmail.com
Thu May 29 22:23:22 CDT 2008
On Thu, May 29, 2008 at 9:57 PM, oiaohm <wineforum-user at winehq.org> wrote:
> austin987 Never ever do the quoted on a Linux system
>
>> $ sudo wineboot
>> $ sudo wine foo.exe
>> will work fine (need some way for users that need raw ICMP/disk
>> access/etc. to work around it)
>
>
> Raw ICMP and Disk access can be granted many other ways without using sudo. Sudo grants the right to a virus in wine to take out your complete OS.
>
> I normally stick to posix capiblities to grant them.
>
> If you distro is old or don't have posix file capiblities in kernel.
>
> From http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt
>
>> How do I start a process with a limited set of capabilities under
>> another uid?
>>
>> Use the sucap utility which changes uid from root without loosing any
>> capabilities. Normally all capabilities are cleared when changing uid
>> from root. The sucap utility requires the CAP_SETPCAP capability.
>> The following example starts updated under uid updated and gid updated
>> with CAP_SYS_ADMIN raised in the Effective set.
>>
>> sucap updated updated execcap 'cap_sys_admin=eip' update
>>
>
>
> Or if your kernel has support of file capiblies create a version of wine with a little more permissions. setfcaps -c cap_net_raw=p -e /bin/ping
>
> There has been no reason to run wine on Linux as root since late 2.2 linux kernels and early 2.4 linux kernels. Personally I really do wish that a bail out patch would get added to wine for all Linux systems. Even running services there is no reason for wine to be root.
>
>
>
>
>
>
First example I could think of off hand. For power users that need a
way to run as root, that's the way to do so (binding to ports < 1024,
etc.)
More information about the wine-users
mailing list