Please can you kindly assist me to complete this supersecure approach for installation & using WineHQ ? I discover an issue & not sure if it represent a risk or not & need experts to assist me.
Aims of approach are: create separate account with separate home directory to run WineHQ within it, & this account is of no "sudo" nor "su" power at all & can not achieve remote root access via SSH.
Please look for this approach that I applied it step by step:
I'm on Fedora 24 X64 bit Cinnamon Edition.Run WineHQ in Virus/Malware Risk Free Mode:
I. Create New Isolated Secure User Account:
1) create new user account that you like to make WineHQ only run within it (let we call it "wineuser"):
sudo useradd -m -d /windows/data -s /bin/bash wineuser
unlock this account by creating a password for it:
sudo passwd wineuser
this new user has different home directory from your owner user account, but have working shell which able to gain root privilege.
2) disable of wineuser account shell to obtain root privilege through the following:
a- disable sudo power for "wineuser":
This is already the default setting in Fedora, so no need to this step.
But for other distros: menu, system setting, Users & groups, select "wineuser", & make it out wheel group.
b- disable su power for any newly added standard user:
There are 3 ways to do this:
sudo vi /etc/pam.d/su then uncomment the following line:
#auth required pam_wheel.so use_uid then save & exit
c- be sure that SSH (if already installed on your PC) is disabled:
- to show state of SSH in brief (just active or not active):
$ systemctl is-active sshd.service
- if SSH active, then stop it permanently by:
sudo systemctl stop sshd.service
d- restart your PC
II. Install WineHQ & Limit it’s Use to wineuser account only:
- create new group (to add "wineuser" to it). Let we called it "riskywork":
sudo groupadd riskywork
- install WineHQ
- restart your PC
- change ownership of WineHQ/POL binary 1st, then, change it's right, in following sequence:
sudo chown root:riskywork $(which wine)
sudo chmod 750 $(which wine)
- add "wineuser" to group "riskywork":
sudo usermod -a -G riskywork wineuser
or you can do this from GUI: system menu, system setting, administration, users & groups …….. .
III. Install & Use Antivirus:
We need antivirus to avoid virus damage or modification of your files while being within "wineuser" home directory.
We have 2 options:
1) install portable clamav package within wineuser account & run it via WineHQ. (recommended: less invasive & not consume your machine’s resource when you using your owner account where antivirus scan work only within home directory of "wine user" account).
2) Alternatively, you can install ordinary antivirus package from repositories from within your owner account. In this case, antivirus scan will work on all your OS.
You have to update your antivirus & scan home directory of "wineuser" every time before using to avoid virus damage or modify your files while being within "wineuser" home directory.
That is all ! Now it is like that you have 2 laptops in your single PC. When you like to use windows application, say PDF restriction removal to remove password limitations from a PDF, you should put your PDF in USB flash stick, enter to "wineuser" account, update antivirus, scan USB flash, use windows program to remove limitations from it, then log out "wineuser" account & log in to your ordinary account & store your PDF in your ordinary home directory & let viruses play in wineuser account home – if escape scan !!
The approach work very fine. I test it in 2 steps:
1) I login to my 1st user (owner account that already I created during fresh installation of my Fedora):
I tried to run .exe files from my 1st user (owner account which has sudo & su power) BUT NEVER EVER WORK.
I then tried from terminal the following commands:
$ wine uninstaller
$ wine config
$ wine application.exe
all failed & received "permission denied" messages in recponse for them, so every thing is O.K
2) then switched to "wineuser" account & repeat the above tests & all run normally & I installed Windows applications very fine & run them very O.K ......
--------------------------
The problem started when I recognized while I'm login to my 1st user account (owner account with sudo & su power), that although I can not run from terminal:
$ wine config
BUT STILL CAN I LAUNCH GUI OF WINE CONFIGURATION BY CLICKING ICON FOR THAT THAT CREATED IN APPLICATIONS MENU !!!!!!!!!!!!!!!!!!!!!!!!! When I clicked this icon a ./wine folder created in home directory & GUI to configure Wine appeared to me, & I used it to change configuration to set default from Windows XP to Windows 7 ....
Later on I discover that I still able to run wine browser by same way: click on it's icon in application menu !!!
Then, & by same way, I run a game came with Wine (Build in) called Wine minet or some thing like this !!!
But what ever I tried to run a Windows .exe file or installed a Windows program, I failed (till now).
----------------------
My questions:
1) does this represent or cary a risk to run a virus or malware while I'm login to my owner account (which has su & sudo power). Certainly I will never run wine as a root, but I ask about risk of virus specifically engineered to attack Linux via WineHQ already installed on Linux.
2) why this happen ?!! I still can run wine configuration, wine file, wine browser, wine buld in game, .. from application menu while I can not do any of these from terminal ?
3) in the light of point (2) above, what I have to do further to avoid this issue ? Is (are) there further step(s) needed to improve approach described above ?
Please your kind help !