Limiting the execution of Wine to allowed programs

tomsawyer2k5 · Post by **tomsawyer2k5** » Sun Jan 08, 2012 10:40 pm

My uncle has these kids who messed up their Windows computer on a monthly basis by going to unsafe websites. So I had to fix it for them, multiple times. There was a time when I went on strike, but because of the family I was "forced" into fixing it. Lots and lots of hours wasted on fixing their computer problems and still they don't learn their lesson.

So, the past few months I changed them to Kubuntu. No viruses since and no reinstalls done for a long while

Then a few days ago I found Linux Mint. Loved it and am in the process of switching them over. But there are a few games that I'd like to get working for them (they are die-hard sonic fans

). No problem since I already got them working.

The issue I have with Wine is that, unlike before or I never noticed, every executable that Mint sees can be executed. I don't want that. Those kids like to download random executables and install them.

So, if I could prevent wine from running all the exe files except for the three games that I installed, like have some kind of allow list, then it would be perfect. How do I go about doing this?

Pavel Troller · Post by **Pavel Troller** » Sun Jan 08, 2012 11:43 pm

My uncle has these kids who messed up their Windows computer on a monthly basis by going to unsafe websites. So I had to fix it for them, multiple times. There was a time when I went on strike, but because of the family I was "forced" into fixing it. Lots and lots of hours wasted on fixing their computer problems and still they don't learn their lesson.

So, the past few months I changed them to Kubuntu. No viruses since and no reinstalls done for a long while Then a few days ago I found Linux Mint. Loved it and am in the process of switching them over. But there are a few games that I'd like to get working for them (they are die-hard sonic fans ). No problem since I already got them working.

The issue I have with Wine is that, unlike before or I never noticed, every executable that Mint sees can be executed. I don't want that. Those kids like to download random executables and install them.

So, if I could prevent wine from running all the exe files except for the three games that I installed, like have some kind of allow list, then it would be perfect. How do I go about doing this?

Hi!
I think it might be done by the following trick with file permissions:
1) Create a special user in the system (say, wine), including its home
directory. This directory must be unwritable, but readable/executable
by other users.
2) Setuid wine binary to that user
3) Possibly create a wrapper script which will be started instead of the
wine binary and it will set proper WINEPREFIX first and then call the
binary
4) Install all the wanted binaries to that WINEPREFIX (which will reside
in the wine home directory)
5) Manage wine dosdevices to disallow wine to see the root filesystem, let
it see just its home directory and virtual C: drive
Because of this setup, the kids will not be able to write to the wine home
directory. The exception is, that wine itself will be allowed to write there
(which is necessary for most windows programs), so be sure that there is no
tool installed in wine which allows to download things (like IE, wget or
similar).
I hope it will work. I didn't test it, but according to the principles of
Unix permission system, it should be OK.

Regards, Pavel

tomsawyer2k5 · Post by **tomsawyer2k5** » Tue Jan 10, 2012 10:36 pm

Wow, um, I guess I should've mentioned that my linux knowledge is that of a novice. I could do step 1, but all those other steps I do not know how to do. All I did was add the wine repository to synaptic package manager's list and chose to install the dev/beta version.

Reading your idea makes sense as only the "Wine" user can directly modify the directory and as long as you're a different user, you cannot write to the C: directory thereby preventing any applications from being installed.

I was thinking something like having Mint not even recognize the .exe extension by removing the file association, but then how do I get Wine to execute the three games I've installed?

Martin Gregorie · Post by **Martin Gregorie** » Wed Jan 11, 2012 6:20 am

On Tue, 2012-01-10 at 21:36 -0600, tomsawyer2k5 wrote:

I was thinking something like having Mint not even recognize the .exe
extension by removing the file association, but then how do I get Wine
to execute the three games I've installed?

That wouldn't work because, although Linux uses file extensions to
associate data files with the programs that operate on them, this is
irrelevant when it comes to executing a program.

All that matters for a standard Linux program to be run is whether:
(1) the binary can be found, which means that one of these must be true:
- it is in the user's search path
- it is referenced with a relative path name, e.g. ./mybinary
- it is referenced directly with an absolute pathname, e.g.
/usr/local/bin/mybinary
(2) its access permissions mark it as executable by the user who is
trying to run it.

The file name of a binary executable is not relevant for deciding
whether to run it.

Wine apps are a bit different: if they have the appropriate executable
permissions set and you're in the right directory or use an absolute
pathname the app may start and run: at least one of the apps I use does
that. Condition (1) above still applies, but Wine apps can also be run
by explicitly calling wine:

wine myapp.exe

regardless of whether the execute permissions are set or not and
regardless of what the file extension may be (rename a Windows exe and
see this for yourself). All that matters in this case is that the
executable must be readable by the user trying to run it.

So, in the end it all comes down to using file permissions to control
who gets to run any binary executable.

Martin

tomsawyer2k5 · Post by **tomsawyer2k5** » Wed Jan 11, 2012 11:19 am

So what you're saying is that Wine can see beyond the .exe extension and run the executable for what it is, not by what it's named by. Doesn't that kinda defeat the purpose of having file associations?

So I guess my next idea is a bust too. I was thinking that I should change the extension of the three games to something like ".lxx" and then have Wine associated with the .lxx file extension and remove Wine's .exe file association. That way when the kids download some exe from the internet and try to double-click it, they will be given the prompt of which program to run it with. At this point they will be confused, since they don't know about Wine, and give up. I guess this is a no go then?

Martin Gregorie · Post by **Martin Gregorie** » Wed Jan 11, 2012 2:05 pm

On Wed, 2012-01-11 at 10:19 -0600, tomsawyer2k5 wrote:

So what you're saying is that Wine can see beyond the .exe extension
and run the executable for what it is, not by what it's named by.
Doesn't that kinda defeat the purpose of having file associations?

Not at all: The use of executable permission bits goes back to the dawn
of UNIX in around 1970, when extension had no real meaning except to the
human users of the system except where it was hard wired into programs
like compilers. The idea of associating a <<data file extension>> with a
the program the user prefers to handle that type of data with appeared
after e-mail readers learnt to decode attachments and is a similar
mechanism, hence referring to the associations list as MIME
associations.

So I guess my next idea is a bust too. I was thinking that I should
change the extension of the three games to something like ".lxx" and
then have Wine associated with the .lxx file extension and remove
Wine's .exe file association. That way when the kids download some
exe from the internet and try to double-click it, they will be given
the prompt of which program to run it with. At this point they will
be confused, since they don't know about Wine, and give up. I guess
this is a no go then?

Nope - won't work because, as you saw, Linux binary loaders look at
what's in the file (they have to - there is more than one legal binary
format and a different loader for each). FWIW there are other places
where this occurs: some image handling programs do the same and for a
very similar reason, e.g. think different JPEG versions.

Use the access controls to build your unauthorised programs trap -
that's what they are there for.

And, while you're setting that up, you should consider that Windows
programs are mostly designed to be used by just one person sitting in
front of a PC that's dedicated to their use and has an installed copy of
the program. These programs can and do hack about with the registry,
which can cause merry hell, app crashes and data file corruption if more
than one person is trying to use the same program at once via Wine on a
Linux box. IOW, if this can happen, you need to build a mechanism to
prevent simultaneous use of the same program. Linux permits this and is
designed to support it because its always been a multi-user system, just
like UNIX before it. As a result Linux programs are designed to allow
simultaneous use by more than one person and this includes Wine itself.

However, Wine was designed to work on the assumption that every Wine
user has installed their own copy of a Windows app in their own
directory, so it does not prevent simultaneous use of the same Windows
app and never will do so.

Martin

landeel · Post by **landeel** » Thu Jan 12, 2012 4:11 pm

I have an idea.

You could install the games for them in a custom WINEPREFIX and of course, create the proper shortcuts for them.

Then you can break the default WINEPREFIX so when they click an executable it won't work.

tomsawyer2k5 · Post by **tomsawyer2k5** » Thu Feb 02, 2012 2:13 am

How do I go about doing that? Could you post the instructions for me?

winepunk · Post by **winepunk** » Thu Feb 02, 2012 8:08 pm

1. Minu Menu -> Administration -> Users and Groups

2. User Setting Window Appears. Press the Add button.

3. Type in wine for both fields. Press OK. (You don't have to encrypt home folder for this.)

4. Type in a password and verify it. Press OK.

5. You will be taken back to the User Settings window. You will see wine as a new user. Hit the Close button.

See next post for the rest of the steps.

winepunk · Post by **winepunk** » Thu Feb 02, 2012 9:25 pm

Some will have to help you with the permissions. I'm not really sure how you can stop all writing on the new users account Wine, but still allow the executables to write.

I'm curious to know how this is done myself.

tomsawyer2k5 · Post by **tomsawyer2k5** » Fri Mar 09, 2012 4:06 am

Wow, I didn't expect anyone to reply...my bad. Actually I was more interested in landeel's idea of a custom Wineprefix. If I can do that, then I could also implement a DirectX fix for one of the older games...Sonic R, and fix that green patching. Well, I dunno how to implement the patch, but I know where the code is.

Since there's plenty of space on the hard drive, installing Wine per game is fine with me.

So, can someone possibly help me with this, or am I over my head?

Post by **dimesio** » Fri Mar 09, 2012 11:04 am

tomsawyer2k5 wrote:Wow, I didn't expect anyone to reply...my bad. Actually I was more interested in landeel's idea of a custom Wineprefix. If I can do that, then I could also implement a DirectX fix for one of the older games...Sonic R, and fix that green patching. Well, I dunno how to implement the patch, but I know where the code is.

Since there's plenty of space on the hard drive, installing Wine per game is fine with me.

So, can someone possibly help me with this, or am I over my head?

http://wiki.winehq.org/FAQ#head-faf9617 ... 522d490faf