[Wine] Disable games with wine

L. Rahyen research at science.su
Fri Apr 16 12:22:32 CDT 2010 

	Sorry for a delay, I was very busy and couldn't find a time to write this 
answer sooner.

On 2010-04-12 (April, Monday) 12:43:52 Trohan wrote:
> Well basically, I dont wanna users can't change anything, just use de
>  followings programs:
> 
> - Dreamweaver
> - Statgraphics
> - Office
> - Derive
> 
> They dont need modify the filesystem

	Applications like Dreamweaver or Office without possibility to modify the 
filesystem can be used only to open files (users will not be able edit or save 
anything). Are you sure you really want to block write access for Wine? Please 
note that ability to save his/her work does not mean that a user can write 
anywhere in the filesystem. Usually with programs you mentioned (which are 
supposed to be used to edit and save files) you want to allow user(s) to write 
to at least one directory.

> They dont need ... create another prefix of wine

	You can add the following line to /etc/zsh/zshenv if your users are using zsh 
or to /etc/bash.bashrc:
	declare -rx WINEPREFIX=~/.wine

	However, this will not stop someone who have understanding of bash or zsh - 
such user will bypass this "restriction" in just few seconds (because it isn't 
a restriction actually). However it is good to have this line there anyway even 
if all your users are smart enough to bypass it - to indicate the user(s) that 
trying to change WINEPREFIX is wrong.

>  especially playing games, nothing about this.

	Let's consider two ways to do what you want:

	If your users are not "too advanced" then doing "declare -rx 
WINEPREFIX=~/.wine" trick and restricting access to 32-bit OpenGL libraries (or 
simply uninstalling those libraries) for your users will prevent them from 
running any game that need advanced 2D or 3D graphics with Wine (or any other 
32-bit application that needs those libraries).
	If this isn't enough (for example you don't want your users to install 
anything easily) you can add more restrictions.
	Create user and group "wine" and use chown and chgrp to assign wine user and 
group using chgrp -R and chown -R  to ~/.wine/drive_c of all your users and use 
chmod -R go-w to restrict users to add or change files in drive_c.
	Here is an example set of commands to achieve everything mentioned above:

if [[ -e /etc/zsh/zshenv ]]; then
{ echo "declare -rx WINEPREFIX=~/.wine" >>  /etc/zsh/zshenv }; fi
if [[ -e  /etc/bash.bashrc ]]; then
{ echo "declare -rx WINEPREFIX=~/.wine" >> /etc/bash.bashrc }; fi
addgroup --system wine
adduser --system wine --ingroup wine
for i in "myuser1" "myuser2" "myuser3"
{
	chown -R wine /home/"$i"/.wine/drive_c
	chgrp -R wine /home/"$i"/.wine/drive_c
	chmod -R og-w /home/"$i"/.wine/drive_c
	rm /home/"$i"/.wine/dosdevices/z:
	mkdir /home/"$i"/Wine\ Documents
	chown "$i" /home/"$i"/Wine\ Documents
	chgrp "$i" /home/"$i"/Wine\ Documents
	chmod 770 /home/"$i"/Wine\ Documents
	ln -s /home/"$i"/Wine\ Documents /home/"$i"/.wine/dosdevices/x:
}

	Of course replace "myuser1" "myuser2" "myuser3" with real user list; all users 
should already have ~/.wine with all necessary programs installed.
	After above commands each user will be able to write from all Wine programs 
only to specifically designated directory ~/"Wine Documents" available as X: to 
Windows application under Wine (you can change commands to suite your real 
world needs).
	Please note that some Windows applications require write access to certain 
directories or files. Use chown and chgrp to give back permission to write to 
such files and directories to your users (examples are: log files, configuration 
files you don't want to freeze, or file/directory that causes error if not 
writable).
	If your users aren't "too advanced" this method may work very well.

	I don't want to describe second way before you say you really requite it. 
Also, I must warn you that second way will place restrictions that cannot be 
bypassed (at least in theory) only if you will make zero mistakes; this way 
will also require from you some advanced knowledge or time to learn it (nothing 
very hard, but no simple either). It will take a lot of your time just to put 
together white-list of executables your users are allowed to run - both Linux 
and windows executables to be 100% sure that users will run only those programs 
they are supposed to run.

	Actually there is a third way - to monitor your users by recording their 
actions for later review (reviewing 8 hours of someones active work is usually 
very fast - just few minutes or even seconds if using some kind of automation). 
In this case you first warn your users that all their actions are carefully 
monitored and recorded including full content of their screen. If your users 
can have even small but real problem(s) in case you have 100% proof that they 
were doing something that they aren't supposed to do (for example, playing 
games) then this method can be very effective; otherwise it's useless. If you 
are interested in this way I can give you all you need to quickly set this up. 
If you are unfamiliar with this method it may look to you like something 
complex or time consuming but it isn't and that's why it can work even if you 
have many users.

	First and third ways can be combined together for greater effectiveness. My 
suggestion: first try the first way (perhaps combining it with monitoring of 
your users). If it will not work good enough then you will need to do it 
properly and restrict your users to only those programs and permissions they 
really need (the second way).

More information about the wine-users mailing list