[Wine] Re: How to avoid users installing any Windows programs

williamh wineforum-user at winehq.org
Sat Nov 6 17:50:39 CDT 2010


and78386 wrote:
> So there seems to be no way or rather no easy way to prevent the users to go to download.com to install some crap freeware in Wine?
> 
> That's bad because it would annul the whole security concept i've configured for the non-admin users on my machines.
> 
> So Wine seems to be no option in secure multiuser environments?


(Warning this is mostly untested speculation)

I take it you want the user frodo to type

     windows_app

then run wine, as frodo, running a specific application, 
(thus giving the application the same permissions
as frodo) however the user should have no abililty to run any other application.   

The simplest way I can think of 
to do this is to compile a custom version
of wine that has the application hard coded in.  Put this
in /usr/bin, and make it world executable.  Thus the executable
(and hence the app) would be run as frodo.
There may be maintenance concerns as a new compile
would be needed with each update.

A second method is to have a wine user, and have
the wine executable owned by wine and not world
executable.   There would be a launcher program
to use this.  It is not sufficient to make the launcher
program setuid, as then frodo would run the application
as wine.  Instead set up the following.  The launcher program
forks, process 1 waits on a pipe from process 2.  Process
2 does setuid, the copies the wine executable ,
 gives the new file world executable perms and
send the name to process 1 and waits a short while.
When it receives the name process 1 execs the copy sending
it the app as argument.  Note, that the copy and the app run
as frodo.   Process 2 unlinks the copy then exits.
User frodo never has direct access to the wine executable,
even if he learns the name.  

This could probably be broken by a knowledgeable and determined
frodo, but it would be easier for frodo to install his own
version of wine in his home directory.   Indeed, if frodo is allowed
to download stuff, you are stuck with the security afforded by
the OS.   However, under this scenario, frodo cannot corrupt the
wine that most people use.







More information about the wine-users mailing list