[Wine] binding to privileged Linux ports (<= 1024)

Martin Gregorie martin at gregorie.org
Sat Feb 6 20:02:23 CST 2010 

On Sat, 2010-02-06 at 19:18 -0600, oiaohm wrote:

> This is the problem you turn CAP_NET_BIND_SERVICE on wine too many
> thing also get access to that permission. Things you many not want
> having access to that permission.
> 
Agreed.

> I should have been more direct.  Capabilities set on wine do inherit
> threw.   Wine is coded that way.
>
That's good to know. Thanks.

>    CAP_NET_BIND_SERVICE is required so a few game servers work from
> wine.   This is only done if there is no native version of that game
> server as well.  Risks are too high to be doing it out of lazyness.
> 
Agreed again, but its probably better than running the app as root or
giving it superuser privileges.

> Biggest problem with CAP_NET_BIND_SERVICE is that it exists to prevent
> conflits and secuirty breaches.  Like a user running there own dns
> server and over riding the system dns server so allowing man in middle
> attack.  Basically lot of services using under 1024 are critical
> services for secuirty.
> 
No argument here. I'd normally run that type of process as a daemon and
it WOULD NOT be running under Wine. If I *had* to give that sort of
access to a Wine app I'd probably leave it in userland and make it use a
proxy daemon.
 
> Problem here Martin Gregorie what mc2718 is asking todo.  Is not safe
> or highly costly on system resources.  There is no valid reason to be
> doing it.  
> 
Agreed again, but if somebody wants to stuff up his own system thats his
problem. He should know what he is doing before he tries any of these
tricks; if he doesn't understand the issues but tries it anyway then he
deserves all the grief he'll get. 

That is why I merely listed manpages to read and did not say anything
about how to use the functions they describe. If the OP doesn't read
them and think about what he's read he is unlikely to make anything
work, and if he does read up on these functions and doesn't think about
the problems and security holes he may cause then if bad things happen
he has only himself to blame.

If he does this to anybody else's equipment then his liability insurance
cover had better be sufficient and the premium fully paid up.
 
> Basically mc2718 or anyone else us capabilities without valid grounds
> if your system ends up developing lots of strange problems don't
> complain to us.  You would have brought it on yourself. 
> 
Quite.

> Its the same policy we have for people running as root without
> grounds.  There are no valid reason ever to run wine as root on Linux.
>
Unfortunately Windows NT onwards has such laughable and misdesigned
"security features", including the ability to let the lazy-minded give
ordinary users System Administrator capability, that people think super
user restrictions are only there to annoy them.

All too many people need a severe thrashing with a cluestick if they are
ever to unlearn these habits.
  

Martin

More information about the wine-users mailing list