[Wine] Prohibiting wine to acces home directory

Martin Gregorie martin at gregorie.org
Sun Sep 9 12:38:07 CDT 2012

On Sun, 2012-09-09 at 17:37 +0200, Johannes Bauer wrote:
> Hi list,
> I want to use wine, but don't want wine applications to have access to
> my home directory, let alone the entire hard disk. Therefore I've
> removed the Z:\ drive with winecfg and left only C: mapped to
> ~/.wine/drive_c.

> But somehow, applications can still access the files by using the path
> "Desktop" -> "/" (mapped to /) or "Desktop" -> "My Documents" (mapped to
> ~). Only the "Desktop -> My Computer" access is restricted (Z:\ removed).
Replace all these symlinks with directories of the same name - not a bad
move unless you'll want to access any files put there with Linux native

Create another login that is used *ONLY* for Wine and make sure that
both its user and group IDs are private to it. Each time you 
install a Wine app, remove Z: from its dosdevices directory. This way
the directory used for running Wine apps forms a sandbox. You can still
run Wine apps from your usual login: just write a script containing a
command something like:

	sudo - wineuser --command="cd /home/winelogindir" \
                        --command="wine ..."
Put the script somewhere it can be found and executed from your usual
login, and point an app launcher at it. This MUST run the script in a
terminal window because sudo needs to prompt for the wineuser's
password. The terminal window will remain open while the app runs and
close when you exit from it. You can run the script from the command
line until its working the way you want and then plugit into a launcher.

I haven't run Wine apps this way, but I have used it to run another
program that I needed to sandbox because it insisted on littering its
login user with data files: not harmful but extremely annoying.

> How can I completely prohibit wine applications from accessing my home
> directory?
I think using another login as a sandbox is about the best you can do.
Just make sure the user's access permissions are locked down as tight as
you can make them: this means making any scripts etc outside the wine
prefix read-only and (probably) do the same for the wineuser login
directory. This will stop the app from changing or creating any file
outside the wine prefix, but don't remove write from the login directory
until you're sure it all works. 

NOTE: There is an exception: if your system has a file
called .ICEauthority in the login directory, it *must* be writeable or
you can't login to that user.

You could also add something like:

if [ -h '.wine/dosdevices/z:' ]; then rm -rf '.wine/dosdevices/z:'; fi
to the .bash_profile and .bash_logout scripts in wineuser, so that if an
app does try to restore that link (or you create another wineprefix and
forget to remove the z: drive) then it will be looked for and deleted
each time the app is started or stopped. 


More information about the wine-users mailing list