Help me in creating secure user account for Wine!

[Nokia-808]

Hi. I'm on Linux Fedora 24 X64 Cinnamon version (full on hard installation) OS. I need Wine to run PDF programs but I'm very concerning about risk of viruses & spy-ware & other evils. I investigate issue on Fedora forum & got no real help. The problem is how to make Wine installed only on new separate user account that I would like to create to it? Installing any rpm package will be available for all users. Finally I discover some thing that may be a solution but I'm not sure. Please can you help me kindly?

Here is my idea:

I discover special package manager that working (when install, remove, update packages) without root privilege (not need for su or sudo). If this correct it should be able to install application on user account that has no shell (account with disable shell)!

This manager is Nix:

http://nixos.org/nix/

It says that it is multiuser package manager & do not allow an independent manager profile for each user differ from that of other users & one user not allowed to inject malware to other users !! It says that it allow non-privileged users to install packages securely !! Look for this:

http://nixos.org/nix/about.html

Take this quotation:

"Multi-user support:
Starting at version 0.11, Nix has multi-user support. This means that non-privileged users can securely install software. Each user can have a different profile, a set of packages in the Nix store that appear in the user’s PATH. If a user installs a package that another user has already installed previously, the package won’t be built or downloaded a second time. At the same time, it is not possible for one user to inject a Trojan horse into a package that might be used by another user."

What is this ??!!!

Now I have the following idea:

1) from within 1st owner account (that we created during installation of Fedora) we create new user account with separate (different) home directory BUT HAVE WORKING SHELL (BECAUSE INSTALLATION OF NIX PACKAGE MANAGER):

sudo useradd -m -d /windows/data/ -s /bin/bash wine-user

2) restart PC, then log in to this new account (wine-user)

3) from within wine-user account we install Nix package manager as following:

$ bash <(curl https://nixos.org/nix/install)

Look for what decomented about this in site:

http://nixos.org/nix/manual/#chap-installation

I quated the following:

"If you are using Linux or Mac OS X, the easiest way to install Nix is to run the following command:

$ bash <(curl https://nixos.org/nix/install)

This will perform a single-user installation of Nix, meaning that /nix is owned by the invoking user. You should run this under your usual user account, not as root. The script will invoke sudo to create /nix if it doesn’t already exist. If you don’t have sudo, you should manually create /nix first as root, e.g.:

$ mkdir /nix
$ chown alice /nix"

This mean installation of Nix need "sudo" & for that we create wine-user 1st with working bash.

4) restart PC, then log in to 1st owner account

5) from within 1st owner account we NOW disable bash of wine-user:

sudo usermod -s /bin/false wine-user

Now we have secure user account which have separate home user & have no bash (so by this wine if exist in it & run a virus or malware then these evils will never ever be able to touch system or 1st owner user account home directory EVEN IF GET INFECTION BY VIRUS DESIGNED TO DISTROY LINUX DEPENDING ON WINEHQ INSTALLED ON LINUX BECAUSE WE ALREADY DISABLED BASH FOR THIS ACCOUNT.

O.K, but how we can installing wine on wine-user which has no bash. This is possible via Nix which not need for sudo or su to install or update or remove package !!!

Very interesting !!! But does Nix repositories have WineHQ ??!!!

But some thing I'm suspicious about: it seem that installing programs & packages via Nix still need shell ? So, in this case "-s /bin/false" creating no shell at all or only shell without sudo & without su ?? I invistigate internet about this & found this link:

we have /bin/false & sbin/nologin

Look for the following link:

http://linuxg.net/linux-and-unix-no-log ... innologin/

It say that both of them is a shell.

But still unclear to me the following: when it say "/bin/false in an old shell user to deny a user's login" while say "/sbin/nologin shell that return you a polite message like 'this account is not available' " does this mean that /bin/false shell still can execute non privilege commands like:
'$ xrandr --output eDP1 --brightness 0.3' or it can not execute any thing ??

/bin/false is that need to secure wine-user account but it should be able to run non privilege commands so as to allow Nix package manager to install packages ..... . Please your help about this point.

I wish from expert members in this forum assisting us about this discovery.

Best

[dimesio]

Most of your questions seem to be abut using Nix; ask those on whatever support channels Nix provides. This forum is for Wine only.

If your goal is simply to limit the ability to run the Wine installed on your system to one user, you can do that with ordinary Posix permissions. An example of how to do that with Firefox is here: http://askubuntu.com/questions/8149/how ... ther-users

You can also use AppArmor or SELinux. Ask for help on how to use those programs on their forums.

[Nokia-808]

Thank you very much "dimesio" for your excellent replay !
I did not targeting Nix but I my target is just as you corrected "simply to limit the ability to run the Wine installed on your system to one user".

However, please be patient with me since I'm beginner in Linux & I used Linux as real on hard desk installation for about 5 months only & because that I need further issuance & explanations.

Please review the method that I should use & correct for me:

1) 1st I have to create new user account that I like to make WineHQ only run within it (let we call it "wine-user:

sudo useradd -m -d /windows/data/ -s /bin/bash wine-user

this user with diffirent home directory & have no working shell

2) I have to create new group (to add "wine-user" to it). Let we called it "risky-work":

sudo addgroup risky-work

3) I have now to install WineHQ

4) After that I have to right of WineHQ binary & it's ownership:

sudo chmod 750 /usr/bin/wine
sudo chown root:risky-work /usr/bin/firefox

Here I have questions:
- is wine extension /user/bin/wine ?
- does I have to write "wine" or "wine-devl" or "wine-stage" or something else ?

5) finally I have to add "wine-user" to group "risky-work":

adduser wine-user risky-work

------------------------

One further question that I found no answer: there is a time interval between finishing installation of Wine & moment that I finish changing it's right & ownership. During this period the Wine available to 1st owner account which created during installation of Fedora & which having sudo right. So, my question is that: does Wine in this period has ability to automatic running of viruses that may be inside my system without my intention ? Does Wine has such abilities or need user to specifically run virus file ? I spent about 5 months using Fedora as primary system & browsed many Internet sites & may be contaminated by viruses & spy-ware that remain dormant inactive within Linux, so is JUST installation of Wine activate them automatically even before launching Wine through installing a windows application on it ?

[Bob Wya]

@Nokia-808,

If you're that concerned about the security issues of running applications under wine (not unreasonable). Then continue using Fedora, keep the SELinux profile active.

You could install Wine in a Chroot Environment or a Linux Container (LXC). This would provide a more genuine sandbox.

This will be an advanced project for you to tackle. So only attempt it if you're an experienced Unix/Linux user! Especially if you want to keep the SELinux profile active system-wide. Forwarded X-Sessions, etc. will be required as well.

Bob

[Nokia-808]

@Bob Wya: Dear what you suggest is beyond my skill. I select Fedora for it's SELinux is excellently supported such that I just leave every things as default & receiving updates.

The suggestion of "dimesio" seem appropriate to me. But I need to know what I asked about in 3rd post in this thread:

1) Is wine extension /user/bin/wine ? Does I have to write "wine" or "wine-devl" or "wine-stage" or something else ?

2) there is a time interval between finishing installation of Wine & moment that I finish changing it's right & ownership. During this period the Wine available to 1st owner account which created during installation of Fedora & which having sudo right. So, my question is that: does Wine in this period has ability to automatic running of viruses that may be inside my system without my intention ? Does Wine has such abilities or need user to specifically run virus file ? I spent about 5 months using Fedora as primary system & browsed many Internet sites & may be contaminated by viruses & spy-ware that remain dormant inactive within Linux, so is JUST installation of Wine activate them automatically even before launching Wine through installing a windows application on it ?

------------------------
By the way, there is error in my replay in post 3:

"sudo chown root:risky-work /usr/bin/wine" not "sudo chown root:risky-work /usr/bin/firefox" Please to correct it by admin or modulator because no option for editing post 3 available to me.

[Bob Wya]

1) Is wine extension /user/bin/wine ? Does I have to write "wine" or "wine-devl" or "wine-stage" or something else ?

Sorry I'm not sure what you mean here??!!

2) there is a time interval between finishing installation of Wine & moment that I finish changing it's right & ownership. During this period the Wine available to 1st owner account which created during installation of Fedora & which having sudo right. So, my question is that: does Wine in this period has ability to automatic running of viruses that may be inside my system without my intention ? Does Wine has such abilities or need user to specifically run virus file ? I spent about 5 months using Fedora as primary system & browsed many Internet sites & may be contaminated by viruses & spy-ware that remain dormant inactive within Linux, so is JUST installation of Wine activate them automatically even before launching Wine through installing a windows application on it ?

Just follow standard practice...
For example always keep a firewall enabled on your system (in addition to your router firewall).
Also see WineHQ FAQ: 7.4 Is Wine malware-compatible? & 7.5 How good is Wine at sandboxing Windows apps?

You can setup a limited use user - under which to run Wine/applications - as I think you are trying to speculate??
For example see How to run Spotify and Wine under a separate user account ...
All the wine builtin commands, like winecfg, are just shortcuts for wine winecfg, etc. anyway. So it should be just the main executable that you need add to your sudoers file (as per that guide).

Bob

[Nokia-808]

To dear @Bob Wya:

1) sorry about 1st point. It is my wrong to use tearm "extension". I mean in fact the following (please look for what I put in red color0:

In the guide you gave me it deal with firefox & used:

sudo chmod 750 /usr/bin/firefox
sudo chown root:webusers /usr/bin/firefox

My question is that: how can I translate these (in red color) to be fit for WineHQ ?

2) all links that you gave me (Wine-FAQ , How to run Spotify & Wine under separate account) are known to me. Please look for thread that I already opened in Fedora forum (read both page 1 & 2):

http://www.forums.fedoraforum.org/showt ... p?t=311658

Regarding guide of "How to run Spotify & Wine in separate account" is difficult to me because it involve editing system files.

The guide that you gave me in ask ubuntu is very good & I asking about it.

I just asked my self since I know about risk of using wine about: is installing wine BUT WITHOUT LAUNCHING IT will result automatically to run dormant viruses or not ?

Best

[Bob Wya]

To dear @Bob Wya:
...
I just asked my self since I know about risk of using wine about: is installing wine BUT WITHOUT LAUNCHING IT will result automatically to run dormant viruses or not ?

Best

1) You're quoting dimesio there - not me
2) Reading through that Fedora forums thread doesn't exactly inspire confidence that you have any idea what you're trying to achieve...

To answer your question. The main wineserver process cannot magically autostart on Linux - without setting up a .desktop launcher or a native (BASH) script file (or some other means). Without a launched Wine environment - any Windows malware will remain completely dormant on your disk drive...

As I oft say it sounds like: "you're trying to run before you can even walk"... You've found all the stuff I've linked to - yet you say it's too complicated.
That indicates that you need to go away and do some real research (involving reading, trying things out and learning yourself) - rather than trying to be spoon-fed knowledge...

Bob

[dimesio]

In the guide you gave me it deal with firefox & used:

sudo chmod 750 /usr/bin/firefox
sudo chown root:webusers /usr/bin/firefox

My question is that: how can I translate these (in red color) to be fit for WineHQ ?

Where the Wine binaries (wine and wine64) are installed depends on where you got Wine from. Most distro packages install them to /usr/bin. Wine you built yourself would normally be installed to /usr/local/bin, unless you specified a different prefix. The WineHQ packages install them to /opt/wine-devel/bin or /opt/wine-staging/bin. Third party versions of Wine such as Crossover and PlayOnLinux have their own install paths. You are going to have to figure out yourself where the binaries are on your system.

[Bob Wya]

...
To answer your question. The main wineserver process cannot magically autostart on Linux - without setting up a .desktop launcher or a native (BASH) script file (or some other means). Without a launched Wine environment - any Windows malware will remain completely dormant on your disk drive...
...

I did occur to me that you'd want to remove any .exe Linux .desktop file associations that Wine might create as well...

E.g. the default Gentoo app-emulation/wine package - pulls in an Ubuntu helper archive with .desktop files and icons, including:
/usr/share/applications/wine.desktop

Code: Select all

[Desktop Entry]
Type=Application
Name=Wine Windows Program Loader
Exec=wine start /unix %f
MimeType=application/x-ms-dos-executable;application/x-msi;application/x-ms-shortcut;
Icon=wine
NoDisplay=true
StartupNotify=true

That is a genuine attack vector - also it's pretty useless for everyday use.

Bob

[Nokia-808]

Thank you very much. It is clear now. I will start to apply askubuntu guide. Only one question: is there a Linux/Unix command that used to show path for any application user need to know about it's path ?

[Bob Wya]

... Only one question: is there a Linux/Unix command that used to show path for any application user need to know about it's path ?

Not quite sure what you mean here...

There's:

Code: Select all

which wine
/usr/bin/wine

Which will be based of, the order of directories in, your env PATH variable:

Code: Select all

env | grep '^PATH'

There's:

Code: Select all

whereis wine
wine: /usr/bin/wine /usr/lib64/wine /usr/include/wine /usr/share/wine /usr/share/man/man1/wine.1.bz2

Just showing you the main (same-architecture) directories for a command.

Then there's the package manager specific commands such as:

Code: Select all

dnf repoquery -l wine

to list all the files, belonging to an installed package, on Fedora (assuming the required repository is active).

That what you were thinking of?

Bob

[Nokia-808]

... Only one question: is there a Linux/Unix command that used to show path for any application user need to know about it's path ?

Not quite sure what you mean here...

There's:

Code: Select all

which wine
/usr/bin/wine

Which will be based of, the order of directories in, your env PATH variable:

Code: Select all

env | grep '^PATH'

There's:

Code: Select all

whereis wine
wine: /usr/bin/wine /usr/lib64/wine /usr/include/wine /usr/share/wine /usr/share/man/man1/wine.1.bz2

Just showing you the main (same-architecture) directories for a command.

Then there's the package manager specific commands such as:

Code: Select all

dnf repoquery -l wine

to list all the files, belonging to an installed package, on Fedora (assuming the required repository is active).

That what you were thinking of?

Bob

I mean the command which assist me in discover the correct correspondence for what I put in red color in the following commands:

sudo chmod 750 /usr/bin/firefox
sudo chown root:webusers /usr/bin/firefox


It seem that "which wine" is what I mean, isn't it ?

[Bob Wya]

I mean the command which assist me in discover the correct correspondence for what I put in red color in the following commands:

sudo chmod 750 /usr/bin/firefox
sudo chown root:webusers /usr/bin/firefox


It seem that "which wine" is what I mean, isn't it ?

Yup, pretty much.

E.g.

Code: Select all

sudo chmod 750 $(which wine)
sudo chown root:webusers $(which wine)

Bob

[Nokia-808]

I would like to suggest on you post this Guide (askubuntu), after you rewrite it for Wine as summery for this thread, in your official WineHQ-FAQ. It will be very useful & will encourage peoples to use Wine on Linux & relief them from headache. I suggest to post it in "Is Wine malware-compatible?"

Such easy simple method unfortunately not known for many !

----------------------
By the way, I enter my password wrongly for more than one time then I login correctly after asking me to answer a question. But when I try to post a message appeared say that my IP is blocked by a system against spam ! I then relogin by Tor browser to be able to post this replay. Please kindly correct this issue.