Help me to complete this supersecure approach for WineHQ !

Questions about Wine on Linux
Locked
Nokia-808
Level 2
Level 2
Posts: 22
Joined: Wed Apr 20, 2016 11:50 am

Help me to complete this supersecure approach for WineHQ !

Post by Nokia-808 »

Hi. 1st of all I would like to say thank you very much for developers very hard works to develop & improve & evolute WineHQ in such huge steps jumps progression .......

Please can you kindly assist me to complete this supersecure approach for installation & using WineHQ ? I discover an issue & not sure if it represent a risk or not & need experts to assist me.

Aims of approach are: create separate account with separate home directory to run WineHQ within it, & this account is of no "sudo" nor "su" power at all & can not achieve remote root access via SSH.

Please look for this approach that I applied it step by step:
Run WineHQ in Virus/Malware Risk Free Mode:

I. Create New Isolated Secure User Account:

1) create new user account that you like to make WineHQ only run within it (let we call it "wineuser"):
sudo useradd -m -d /windows/data -s /bin/bash wineuser
unlock this account by creating a password for it:
sudo passwd wineuser
this new user has different home directory from your owner user account, but have working shell which able to gain root privilege.

2) disable of wineuser account shell to obtain root privilege through the following:

a- disable sudo power for "wineuser":
This is already the default setting in Fedora, so no need to this step.
But for other distros: menu, system setting, Users & groups, select "wineuser", & make it out wheel group.

b- disable su power for any newly added standard user:
There are 3 ways to do this:
sudo vi /etc/pam.d/su then uncomment the following line:
#auth required pam_wheel.so use_uid then save & exit

c- be sure that SSH (if already installed on your PC) is disabled:
- to show state of SSH in brief (just active or not active):
$ systemctl is-active sshd.service
- if SSH active, then stop it permanently by:
sudo systemctl stop sshd.service

d- restart your PC

II. Install WineHQ & Limit it’s Use to wineuser account only:

- create new group (to add "wineuser" to it). Let we called it "riskywork":
sudo groupadd riskywork
- install WineHQ
- restart your PC
- change ownership of WineHQ/POL binary 1st, then, change it's right, in following sequence:
sudo chown root:riskywork $(which wine)
sudo chmod 750 $(which wine)
- add "wineuser" to group "riskywork":
sudo usermod -a -G riskywork wineuser
or you can do this from GUI: system menu, system setting, administration, users & groups …….. .

III. Install & Use Antivirus:

We need antivirus to avoid virus damage or modification of your files while being within "wineuser" home directory.
We have 2 options:

1) install portable clamav package within wineuser account & run it via WineHQ. (recommended: less invasive & not consume your machine’s resource when you using your owner account where antivirus scan work only within home directory of "wine user" account).
2) Alternatively, you can install ordinary antivirus package from repositories from within your owner account. In this case, antivirus scan will work on all your OS.

You have to update your antivirus & scan home directory of "wineuser" every time before using to avoid virus damage or modify your files while being within "wineuser" home directory.
That is all ! Now it is like that you have 2 laptops in your single PC. When you like to use windows application, say PDF restriction removal to remove password limitations from a PDF, you should put your PDF in USB flash stick, enter to "wineuser" account, update antivirus, scan USB flash, use windows program to remove limitations from it, then log out "wineuser" account & log in to your ordinary account & store your PDF in your ordinary home directory & let viruses play in wineuser account home – if escape scan !!
I'm on Fedora 24 X64 bit Cinnamon Edition.

The approach work very fine. I test it in 2 steps:

1) I login to my 1st user (owner account that already I created during fresh installation of my Fedora):

I tried to run .exe files from my 1st user (owner account which has sudo & su power) BUT NEVER EVER WORK.

I then tried from terminal the following commands:

$ wine uninstaller
$ wine config
$ wine application.exe

all failed & received "permission denied" messages in recponse for them, so every thing is O.K

2) then switched to "wineuser" account & repeat the above tests & all run normally & I installed Windows applications very fine & run them very O.K ......

--------------------------
The problem started when I recognized while I'm login to my 1st user account (owner account with sudo & su power), that although I can not run from terminal:

$ wine config

BUT STILL CAN I LAUNCH GUI OF WINE CONFIGURATION BY CLICKING ICON FOR THAT THAT CREATED IN APPLICATIONS MENU !!!!!!!!!!!!!!!!!!!!!!!!! When I clicked this icon a ./wine folder created in home directory & GUI to configure Wine appeared to me, & I used it to change configuration to set default from Windows XP to Windows 7 ....

Later on I discover that I still able to run wine browser by same way: click on it's icon in application menu !!!

Then, & by same way, I run a game came with Wine (Build in) called Wine minet or some thing like this !!!

But what ever I tried to run a Windows .exe file or installed a Windows program, I failed (till now).

----------------------

My questions:

1) does this represent or cary a risk to run a virus or malware while I'm login to my owner account (which has su & sudo power). Certainly I will never run wine as a root, but I ask about risk of virus specifically engineered to attack Linux via WineHQ already installed on Linux.

2) why this happen ?!! I still can run wine configuration, wine file, wine browser, wine buld in game, .. from application menu while I can not do any of these from terminal ?

3) in the light of point (2) above, what I have to do further to avoid this issue ? Is (are) there further step(s) needed to improve approach described above ?

Please your kind help !
Last edited by Nokia-808 on Fri Mar 24, 2017 3:01 pm, edited 1 time in total.
User avatar
dimesio
Moderator
Moderator
Posts: 13202
Joined: Tue Mar 25, 2008 10:30 pm

Re: Help me to complete this supersecure approach for WineHQ

Post by dimesio »

2) why this happen ?!! I still can run wine configuration, wine file, wine browser, wine buld in game, .. from application menu while I can not do any of these from terminal ?
Those menu items are not part of Wine; they are added by some distros to their packages. You need to change the ownership of the corresponding .desktop files. On my system they are located in /usr/share/applications.
Nokia-808
Level 2
Level 2
Posts: 22
Joined: Wed Apr 20, 2016 11:50 am

Re: Help me to complete this supersecure approach for WineHQ

Post by Nokia-808 »

dimesio wrote:
2) why this happen ?!! I still can run wine configuration, wine file, wine browser, wine buld in game, .. from application menu while I can not do any of these from terminal ?
Those menu items are not part of Wine; they are added by some distros to their packages. You need to change the ownership of the corresponding .desktop files. On my system they are located in /usr/share/applications.
Does they bearing risk ?!

Can I detect their location by using "which" command & how (what I have to type) ?
Nokia-808
Level 2
Level 2
Posts: 22
Joined: Wed Apr 20, 2016 11:50 am

Re: Help me to complete this supersecure approach for WineHQ

Post by Nokia-808 »

Dear I inspect all dependencies packages for WineHQ by my package manager "Yum extender (DNF)".

One of these packages called "wine-desktop" & discribed as "Desktop integration features for wine" , does this package responsible for this issue or not ? It pointed in Yum extender description to be originate from www.winehg.org (web site of package) ??!!!

Please your help !

By the way, I'm beginner, & this approach is suggested by this forum when I opened old topic about how to run WineHG in safe secure way, but I opened this new thread because 1st thread is old & because I discover many errors in old one. This approached that I gave in my 1st post here in this new thread putting it in quote is so regullar not because it is posted in other forum, but because I store it in office document preparing to post it in Fedora Forum for benefit of community, but when I discovered this issue I did not post it in Fedora forum & post it here to complete it. I mean from that, I need your help & no other can help me like you. This approach suggested by this forum originally not by me (changing ownership & permission of binaries suggested by this forum + running WineHQ in separated secure account suggested by me). I started to apply it yesterday because I was searching for 2nd laptop t try it on it as a lab & just yesterday such laptop became available.

Best.
User avatar
dimesio
Moderator
Moderator
Posts: 13202
Joined: Tue Mar 25, 2008 10:30 pm

Re: Help me to complete this supersecure approach for WineHQ

Post by dimesio »

The only packages supported here are the WineHQ ones, and you are clearly not using those, because they do not include the menu items you are complaining about. I don't use Fedora and am not familiar with how they split up their packages; you need to ask for help on the Fedora forum, or contact the Fedora package maintainer, for help with that.

FYI, WineHQ does build official packages for Fedora 22, 23, and 24, so if you are using one of those versions, upgrading to the WineHQ packages will get rid of those .desktop files. Unfortunately there are still no WineHQ packages for Fedora 25.
Nokia-808
Level 2
Level 2
Posts: 22
Joined: Wed Apr 20, 2016 11:50 am

Re: Help me to complete this supersecure approach for WineHQ

Post by Nokia-808 »

@dimesio

I understand now ! I will open a thread in Fedora Forum about this issue.

But, do you have idea about following:

1) does these .desktop files risky, under-mind thins approach or not ?

2) I'm already delete them from application menu on my Cinnamon on my owner user account (which has sudo & su power) by: right click applications menu icon, click "configure ...", & use menu editor to delete all these icons. Is this enough or not ?
User avatar
dimesio
Moderator
Moderator
Posts: 13202
Joined: Tue Mar 25, 2008 10:30 pm

Re: Help me to complete this supersecure approach for WineHQ

Post by dimesio »

I'm not a security expert, so I really can't advise you on that, either.
Nokia-808
Level 2
Level 2
Posts: 22
Joined: Wed Apr 20, 2016 11:50 am

Re: Help me to complete this supersecure approach for WineHQ

Post by Nokia-808 »

Hi. I already opened a thread about this in Fedora forum & in fedora packages on Github. On Fedora forum it seem that I will get no answer. Meanwhile I discover site on my Fedora where .desktop files stored. It is ./local/share/applications

I upload these files (that I got them from my 1st user account = owner account which has sudo & su power) that already I blocked it from access to WineHQ. Please look for these files to see how & by which way they can open GUI for WineHQ though WineHQ already blocked such that can not execute any of wine commands from terminal & unable to run or install any windows application other than those builded in with WineHQ. I'm not expert to study these files.

Please after finish from these files inform me to delete them.

Best.

https://drive.google.com/drive/folders/ ... sp=sharing
Locked