You are not logged in.

#1 2014-05-26 20:12:45

Soukyuu
Member
Registered: 2014-04-08
Posts: 854

[Solved] wine: restricting execution to specific user/group safe?

From what I understand, the way of exploiting a bug in a browser and launching malware in the background won't work with wine as the malware injector calls "some.exe", not "wine some.exe". So using wine is safe unless the person is "dumb" enough to execute a windows executable from an untrusted source, right?

I have the following situation: there are two users, one should be able to execute windows programs, the other one (who recently got mislead by a "you need to update flash player" malware link -_-) should be unable to.
What I thought I'd do was to create a group, let's say, called "wine" and change the permissions on the wine executable(s) so that only users of this group get the executable right. Then add users to this group.

Is this safe? Is changing permissions on wine/wine64 enough, or should I also modify them for wine(64)-preloader? Or is there maybe a better way to do that?

edit: also, will the permissions be reset when pacman updates wine?

Last edited by Soukyuu (2014-05-28 15:20:23)


[ Arch x86_64 | linux | Framework 13 | AMD Ryzen™ 5 7640U | 32GB RAM | KDE Plasma Wayland ]

Offline

#2 2014-05-27 11:51:47

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: [Solved] wine: restricting execution to specific user/group safe?

Soukyuu wrote:

edit: also, will the permissions be reset when pacman updates wine?

they should be reset then, yes.

How about using sudo / sudoers for this ?

you'd still use the wine group, but instead of changing filesystem permissions use /etc/sudoers to limit access.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#3 2014-05-28 10:39:49

Soukyuu
Member
Registered: 2014-04-08
Posts: 854

Re: [Solved] wine: restricting execution to specific user/group safe?

Hmm, do you mean something along the lines of adding

userone=/usr/bin/wine,/usr/bin/win64

to the sudoers file?

edit: I can't seem to get wine to be only executable via sudo, the limitation via sudo works otherwise. Although, wouldn't that mean I execute the program with root rights?

Last edited by Soukyuu (2014-05-28 10:57:54)


[ Arch x86_64 | linux | Framework 13 | AMD Ryzen™ 5 7640U | 32GB RAM | KDE Plasma Wayland ]

Offline

#4 2014-05-28 13:15:36

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: [Solved] wine: restricting execution to specific user/group safe?

not necesarrily with root rights, Sudo can also be used to run commands as other users.

However, sudo is supposed to limit what users can do when running sudo <something> , and that's not what you want to block.

I am thinking that you need to decide how much you can trust that user.
Are you trying to prevent them from running wine some.exe by accident ?
for that case, using an alias in their ~/.bashrc like wine=ls would be sufficient.

(Ofcourse that can be circumvented by executing /usr/bin/wine directly )


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#5 2014-05-28 13:33:24

Soukyuu
Member
Registered: 2014-04-08
Posts: 854

Re: [Solved] wine: restricting execution to specific user/group safe?

Ideally, I'd want the user to be able to only execute whitelisted wine programs, but from what I know it's not possible. It's mainly to guard against accidental execution of mal/adware, which happened a few times while this computer was running windows. My parents lack the technical knowledge to try and circumvent those measures, nor do they have a reason. This means they are only using the GUI and call me if something doesn't work. Would using an alias guard against double-clicking on a windows binary?

The reason I have wine at all is that I still need some windows programs on that PC, and the reason I switched to linux was to free up resources used up by the antivirus. So theoretically I could just launch the programs I need in a VM, but that would just negate any resource gains I got by installing linux...


[ Arch x86_64 | linux | Framework 13 | AMD Ryzen™ 5 7640U | 32GB RAM | KDE Plasma Wayland ]

Offline

#6 2014-05-28 14:37:00

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: [Solved] wine: restricting execution to specific user/group safe?

Would using an alias guard against double-clicking on a windows binary?

I'm not 100% sure, but i think that's setup through ~/.local/share/applications folder
(i always remove the files put there by wine)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#7 2014-05-28 15:16:27

Soukyuu
Member
Registered: 2014-04-08
Posts: 854

Re: [Solved] wine: restricting execution to specific user/group safe?

Removing the wine folder there didn't seem to change anything. However, I think it might be sufficient to change the .exe association to "none" in KDE.
The "open with" dialog should be confusing enough for them to be unable to launch it, and it doesn't affect launching programs from the application menu nor the command line.

Should work as "semi-whitelisting", only allowing them to launch programs I put into the application menu. Thanks for the suggestions.


[ Arch x86_64 | linux | Framework 13 | AMD Ryzen™ 5 7640U | 32GB RAM | KDE Plasma Wayland ]

Offline

Board footer

Powered by FluxBB