Access C Drive without root access

[Hawgnes]

Hello,

I am building a docker image of Wine to serve as a build server (using MSBuild) for our application. MSBuild installs into this path if installed as root: drive_c/Program Files/MSBuild/14.0/Bin

My current experiment is I use root to install wine and all MSBuild dependencies on an ubuntu:24.04 image, then change user to xclient (name of my non-root user); however, this way client does not have access to the MSBuild path.

I thought about installing wine and other dependencies right from the start, but only root have permission to install; I could add xclient to the sudoers group, but would this make not running wine as root pointless?

This docker image will only be spun up by Jenkins when we need to build our application, it will be stopped and removed after completion - taking that into account, do I still really need to run wine as non-root?


Thank you in advance!

[DarkShadow44]

I wouldn't run it as root. I don't really understand why you can't install as non-root.

[Hawgnes]

In my Dockerfile, I started from an Ubuntu image, then installed Wine as root - what I got confused with was thinking I need to somehow install Wine as non-root (which is not the same and is not doable without some hacks if I understand it correctly).

After consulting with some more experienced Linux users, I installed Wine as root then allowed it to be ran by all users by setting permission like this in the Dockerfile:

Code: Select all

# Allow all users to read and execute wine
RUN chmod a+rx $(which wine)

But from now on, I kept encountering permission denied issue where wine could not chdir to some /tmp directories.
I eventually figured out that I actually ran wine as root, specifically winecfg. (which is supposed to initialize the new WINEPREFIX, I believe?)

After realizing that, I just switch to a non-root user and then only ran winecfg and other installations, and everything went ok, I get a drive_c under the new WINEPREFIX which is owned by the non-root user, unlike my previous experimental containers where its drive_c required root to access (because I ran everything as root without changing WINEPREFIX).
At this point, this answers the title of this post.


Another question that I have is, is it safe to grant rwx permission to all users for WINEPREFIX?

Code: Select all

RUN chmod -R a+rwx /home/nonrootuser

The reason I'm asking this is because I'm trying to setup so Jenkins could spin up the aforementioned Wine image as container, I'm thinking if I grant permission of WINEPREFIX for all user, (I think) I can easily run wine, but does this defeat the purpose of running wine as non-root?


Regards.

[DarkShadow44]

In my Dockerfile, I started from an Ubuntu image, then installed Wine as root - what I got confused with was thinking I need to somehow install Wine as non-root (which is not the same and is not doable without some hacks if I understand it correctly).

Yes, installation usually requires root.

After consulting with some more experienced Linux users, I installed Wine as root then allowed it to be ran by all users by setting permission like this in the Dockerfile:

Not sure why that would be needed, it should be able to run without that.

But from now on, I kept encountering permission denied issue where wine could not chdir to some /tmp directories.
I eventually figured out that I actually ran wine as root, specifically winecfg. (which is supposed to initialize the new WINEPREFIX, I believe?)

If you run any program in wine, and there is no WINEPREFIX yet, it will create a new one. For the current user. If you run it as root once, it may create root-owned files that the normal user can't use, which leads to issues.

Another question that I have is, is it safe to grant rwx permission to all users for WINEPREFIX?

Define safe. It allows everyone to read and write there, you are the only one who knows if that could cause security implications.

The reason I'm asking this is because I'm trying to setup so Jenkins could spin up the aforementioned Wine image as container, I'm thinking if I grant permission of WINEPREFIX for all user, (I think) I can easily run wine, but does this defeat the purpose of running wine as non-root?

The point of not running Wine as root is mostly to prevent rouge programs from accessing your entire system. As root you can do quite some damage, as a normal user that damage is more limited in nature.