LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   How to run wine securely? Or in a sandbox. (https://www.linuxquestions.org/questions/linux-general-1/how-to-run-wine-securely-or-in-a-sandbox-502916/)

saravkrish 11-19-2006 02:13 AM
How to run wine securely? Or in a sandbox.
 
Hi,

I use Fedora and I installed wine using yum. I remember reading somewhere that one should run wine as user "nobody" so that insecure programs (say, IE) don't open up one's Linux box for attacks.

How do I run wine securely so that even if I run an insecure program under wine, it won't be able to access any of my user files? I want to login as sarav and still be able to run wine and not let it access my files. How do I do this?

Thanks in advance.

-Sarav

Indiestory 11-19-2006 06:51 AM
You could create a user locked in there home directory, and only give them permission to use WINE , effectivly stopping WINE from editing files the user doesnt own and stopping anyone else from using it

saravkrish 11-19-2006 04:43 PM
But how do I run win32 apps logged in as a different user? Also, how do I make sure that all files created by the user automatically have group write permissions?

Btw, I'm currently using wine under my user and wanted to prevent access to root dirs. So I removed the root dir using winecfg. But when I do "File->Open" in any win32 app, I still see the root dir under "My Desktop". How do I remove that?

Thanks,
Sarav

sundialsvcs 11-19-2006 05:42 PM
Remember that Wine is a user-mode program; it runs as "you," in your own session. It does not have a separate daemon component .. no, "wineserver" is not a daemon.

If you want to ensure that an IE session, say, cannot do anything malicious, then the problem is exactly the same as how one would address the problem if neither IE nor Wine were involved. It would be the same as you would face if, say, you were guarding against a malicious Java applet running on your own favorite Linux browser.

You would do this by setting up a separate user account, connecting to it, and doing your work in that account. XWindows and XOrg can both allow you to start new graphical sessions on the same terminal, and you switch between them with a Shift+Ctrl+Fn sequence.

You can also use the command-line su username command, or even sudo, to execute a particular command as someone else. You might find that capability built-in to your favorite graphical shell, akin to Microsoft Windows' "run as user" facility.

A process that is launched as a particular user is strictly limited to the capabilities assigned to that user. If you wish to make your own files "strictly off limits" to some process that you ("the person") have initiated .. this is how to do it. It applies equally to Windows and Linux.

jlo_sandog 11-19-2006 08:40 PM
I actually don't think that by running IE under wine you will have any issies with security. In a sense it runs in its own sandbox, and if it were to get infected, which I doubt, all you would have to do is delete the .wine profile. Next time you start wine it would generate a new one.

saravkrish 11-19-2006 09:52 PM
I guess sudo is the way to go.

sundialsvcs, I agree/knew that risks due to IE is similar to risk due to anyother untrusted linux app. But the problem is that more people try to attack IE rather than some random Linux app.

Also, I don't consider that IE is as secure and well written as other linux apps (might be wrong here).

So my question is still well placed, but so is your solution. Have to dig into sudoing as another user. I know only to sudo as root not as another user.

jlo_sandog, No. IE doesn't run in a sandbox. IE runs natively (hence Wine Is Not an Emulator). So once a buffer flow in IE is used to inject code, all a blackhat needs to do it inject linux specific code instead of windows specific code and your linux user account goes boom.

Thanks,
Sarav

jlo_sandog 11-21-2006 02:45 AM
yes, but that's my point what's the chance someone will write linux specific code to infect a computer when someone uses IE?

saravkrish 11-21-2006 10:35 PM
jlo_sandog,

That's not what you claimed in your previous post. According to your previous post (quote: "and if it were to get infected, which I doubt, all you would have to do is delete the .wine profile"), IE infection can never affect any linux user files that are not made available through drive mapping in winecfg.

Also, just because we don't expect someone to attack Linux through IE+Wine doesn't mean the problem doesn't exist.

Anyway, lets not deviate from the main topic of this thread. Btw, I think sundialsvcs answered my question.

Thanks,
Sarav


All times are GMT -5. The time now is 07:24 PM.