Disable games with wine
Disable games with wine
How i can constrain apllications to be used with wine. I just want to use wine for specifics applications; no games or another things.
Re: Disable games with wine
Your question does not make sense. You have to install apps in Wine to run them, and if you don't want to run them in Wine, why would you install them in the first place?Trohan wrote:How i can constrain apllications to be used with wine. I just want to use wine for specifics applications; no games or another things.
Disable games with wine
On 2010-04-06 (April, Tuesday) 15:37:09 Trohan wrote:
understood that you want to install some programs for your users and then
restrict installation or execution of any other Windows applications or games
by those users. Is this correct?
I'm sorry, its hard to understand question with so many typos. What IBecause is not for me, is for more users. I dont wanna them used other
applications, like games, etc; just applications instaled for me
understood that you want to install some programs for your users and then
restrict installation or execution of any other Windows applications or games
by those users. Is this correct?
Disable games with wine
On 2010-04-10 (April, Saturday) 00:33:50 Trohan wrote:
right way that will be suitable both for you and your users. Please answer
following questions:
1) Do you expect users to try to bypass any restrictions you will put on them?
In other words, do you expect them to try to create another Wine prefixe or try
to do other "advanced things" to bypass your restrictions? If yes, any possible
way to bypass such restrictions must be blocked (I will tell you how if you
answer "yes" to this question).
2) Are programs you wish your users to use require writable registry access?
3) Are programs you wish your users to use require writable filesystem access?
(For example, many web-based and some other programs don't require any kind of
writable access assuming they are already configured).
4) Can you code in C? Can you write zsh/bash scripts? At least basic knowledge
of C and zsh/bash scripting is recommended. However there is many things you
can do even without any such knowledge - depends on what you want (answer
questions above).
There is many ways to do it. I need more information to help you choose theYes thats all I want
right way that will be suitable both for you and your users. Please answer
following questions:
1) Do you expect users to try to bypass any restrictions you will put on them?
In other words, do you expect them to try to create another Wine prefixe or try
to do other "advanced things" to bypass your restrictions? If yes, any possible
way to bypass such restrictions must be blocked (I will tell you how if you
answer "yes" to this question).
2) Are programs you wish your users to use require writable registry access?
3) Are programs you wish your users to use require writable filesystem access?
(For example, many web-based and some other programs don't require any kind of
writable access assuming they are already configured).
4) Can you code in C? Can you write zsh/bash scripts? At least basic knowledge
of C and zsh/bash scripting is recommended. However there is many things you
can do even without any such knowledge - depends on what you want (answer
questions above).
Well
Well basically, I dont wanna users can't change anything, just use de followings programs:
- Dreamweaver
- Statgraphics
- Office
- Derive
They dont need modify the filesystem, create another prefix of wine and especially playing games, nothing about this.
About code in C, sorry but I dont know.
Thanks for your time
- Dreamweaver
- Statgraphics
- Office
- Derive
They dont need modify the filesystem, create another prefix of wine and especially playing games, nothing about this.
About code in C, sorry but I dont know.
Thanks for your time
Disable games with wine
Sorry for a delay, I was very busy and couldn't find a time to write this
answer sooner.
On 2010-04-12 (April, Monday) 12:43:52 Trohan wrote:
filesystem can be used only to open files (users will not be able edit or save
anything). Are you sure you really want to block write access for Wine? Please
note that ability to save his/her work does not mean that a user can write
anywhere in the filesystem. Usually with programs you mentioned (which are
supposed to be used to edit and save files) you want to allow user(s) to write
to at least one directory.
or to /etc/bash.bashrc:
declare -rx WINEPREFIX=~/.wine
However, this will not stop someone who have understanding of bash or zsh -
such user will bypass this "restriction" in just few seconds (because it isn't
a restriction actually). However it is good to have this line there anyway even
if all your users are smart enough to bypass it - to indicate the user(s) that
trying to change WINEPREFIX is wrong.
If your users are not "too advanced" then doing "declare -rx
WINEPREFIX=~/.wine" trick and restricting access to 32-bit OpenGL libraries (or
simply uninstalling those libraries) for your users will prevent them from
running any game that need advanced 2D or 3D graphics with Wine (or any other
32-bit application that needs those libraries).
If this isn't enough (for example you don't want your users to install
anything easily) you can add more restrictions.
Create user and group "wine" and use chown and chgrp to assign wine user and
group using chgrp -R and chown -R to ~/.wine/drive_c of all your users and use
chmod -R go-w to restrict users to add or change files in drive_c.
Here is an example set of commands to achieve everything mentioned above:
if [[ -e /etc/zsh/zshenv ]]; then
{ echo "declare -rx WINEPREFIX=~/.wine" >> /etc/zsh/zshenv }; fi
if [[ -e /etc/bash.bashrc ]]; then
{ echo "declare -rx WINEPREFIX=~/.wine" >> /etc/bash.bashrc }; fi
addgroup --system wine
adduser --system wine --ingroup wine
for i in "myuser1" "myuser2" "myuser3"
{
chown -R wine /home/"$i"/.wine/drive_c
chgrp -R wine /home/"$i"/.wine/drive_c
chmod -R og-w /home/"$i"/.wine/drive_c
rm /home/"$i"/.wine/dosdevices/z:
mkdir /home/"$i"/Wine\ Documents
chown "$i" /home/"$i"/Wine\ Documents
chgrp "$i" /home/"$i"/Wine\ Documents
chmod 770 /home/"$i"/Wine\ Documents
ln -s /home/"$i"/Wine\ Documents /home/"$i"/.wine/dosdevices/x:
}
Of course replace "myuser1" "myuser2" "myuser3" with real user list; all users
should already have ~/.wine with all necessary programs installed.
After above commands each user will be able to write from all Wine programs
only to specifically designated directory ~/"Wine Documents" available as X: to
Windows application under Wine (you can change commands to suite your real
world needs).
Please note that some Windows applications require write access to certain
directories or files. Use chown and chgrp to give back permission to write to
such files and directories to your users (examples are: log files, configuration
files you don't want to freeze, or file/directory that causes error if not
writable).
If your users aren't "too advanced" this method may work very well.
I don't want to describe second way before you say you really requite it.
Also, I must warn you that second way will place restrictions that cannot be
bypassed (at least in theory) only if you will make zero mistakes; this way
will also require from you some advanced knowledge or time to learn it (nothing
very hard, but no simple either). It will take a lot of your time just to put
together white-list of executables your users are allowed to run - both Linux
and windows executables to be 100% sure that users will run only those programs
they are supposed to run.
Actually there is a third way - to monitor your users by recording their
actions for later review (reviewing 8 hours of someones active work is usually
very fast - just few minutes or even seconds if using some kind of automation).
In this case you first warn your users that all their actions are carefully
monitored and recorded including full content of their screen. If your users
can have even small but real problem(s) in case you have 100% proof that they
were doing something that they aren't supposed to do (for example, playing
games) then this method can be very effective; otherwise it's useless. If you
are interested in this way I can give you all you need to quickly set this up.
If you are unfamiliar with this method it may look to you like something
complex or time consuming but it isn't and that's why it can work even if you
have many users.
First and third ways can be combined together for greater effectiveness. My
suggestion: first try the first way (perhaps combining it with monitoring of
your users). If it will not work good enough then you will need to do it
properly and restrict your users to only those programs and permissions they
really need (the second way).
answer sooner.
On 2010-04-12 (April, Monday) 12:43:52 Trohan wrote:
Applications like Dreamweaver or Office without possibility to modify theWell basically, I dont wanna users can't change anything, just use de
followings programs:
- Dreamweaver
- Statgraphics
- Office
- Derive
They dont need modify the filesystem
filesystem can be used only to open files (users will not be able edit or save
anything). Are you sure you really want to block write access for Wine? Please
note that ability to save his/her work does not mean that a user can write
anywhere in the filesystem. Usually with programs you mentioned (which are
supposed to be used to edit and save files) you want to allow user(s) to write
to at least one directory.
You can add the following line to /etc/zsh/zshenv if your users are using zshThey dont need ... create another prefix of wine
or to /etc/bash.bashrc:
declare -rx WINEPREFIX=~/.wine
However, this will not stop someone who have understanding of bash or zsh -
such user will bypass this "restriction" in just few seconds (because it isn't
a restriction actually). However it is good to have this line there anyway even
if all your users are smart enough to bypass it - to indicate the user(s) that
trying to change WINEPREFIX is wrong.
Let's consider two ways to do what you want:especially playing games, nothing about this.
If your users are not "too advanced" then doing "declare -rx
WINEPREFIX=~/.wine" trick and restricting access to 32-bit OpenGL libraries (or
simply uninstalling those libraries) for your users will prevent them from
running any game that need advanced 2D or 3D graphics with Wine (or any other
32-bit application that needs those libraries).
If this isn't enough (for example you don't want your users to install
anything easily) you can add more restrictions.
Create user and group "wine" and use chown and chgrp to assign wine user and
group using chgrp -R and chown -R to ~/.wine/drive_c of all your users and use
chmod -R go-w to restrict users to add or change files in drive_c.
Here is an example set of commands to achieve everything mentioned above:
if [[ -e /etc/zsh/zshenv ]]; then
{ echo "declare -rx WINEPREFIX=~/.wine" >> /etc/zsh/zshenv }; fi
if [[ -e /etc/bash.bashrc ]]; then
{ echo "declare -rx WINEPREFIX=~/.wine" >> /etc/bash.bashrc }; fi
addgroup --system wine
adduser --system wine --ingroup wine
for i in "myuser1" "myuser2" "myuser3"
{
chown -R wine /home/"$i"/.wine/drive_c
chgrp -R wine /home/"$i"/.wine/drive_c
chmod -R og-w /home/"$i"/.wine/drive_c
rm /home/"$i"/.wine/dosdevices/z:
mkdir /home/"$i"/Wine\ Documents
chown "$i" /home/"$i"/Wine\ Documents
chgrp "$i" /home/"$i"/Wine\ Documents
chmod 770 /home/"$i"/Wine\ Documents
ln -s /home/"$i"/Wine\ Documents /home/"$i"/.wine/dosdevices/x:
}
Of course replace "myuser1" "myuser2" "myuser3" with real user list; all users
should already have ~/.wine with all necessary programs installed.
After above commands each user will be able to write from all Wine programs
only to specifically designated directory ~/"Wine Documents" available as X: to
Windows application under Wine (you can change commands to suite your real
world needs).
Please note that some Windows applications require write access to certain
directories or files. Use chown and chgrp to give back permission to write to
such files and directories to your users (examples are: log files, configuration
files you don't want to freeze, or file/directory that causes error if not
writable).
If your users aren't "too advanced" this method may work very well.
I don't want to describe second way before you say you really requite it.
Also, I must warn you that second way will place restrictions that cannot be
bypassed (at least in theory) only if you will make zero mistakes; this way
will also require from you some advanced knowledge or time to learn it (nothing
very hard, but no simple either). It will take a lot of your time just to put
together white-list of executables your users are allowed to run - both Linux
and windows executables to be 100% sure that users will run only those programs
they are supposed to run.
Actually there is a third way - to monitor your users by recording their
actions for later review (reviewing 8 hours of someones active work is usually
very fast - just few minutes or even seconds if using some kind of automation).
In this case you first warn your users that all their actions are carefully
monitored and recorded including full content of their screen. If your users
can have even small but real problem(s) in case you have 100% proof that they
were doing something that they aren't supposed to do (for example, playing
games) then this method can be very effective; otherwise it's useless. If you
are interested in this way I can give you all you need to quickly set this up.
If you are unfamiliar with this method it may look to you like something
complex or time consuming but it isn't and that's why it can work even if you
have many users.
First and third ways can be combined together for greater effectiveness. My
suggestion: first try the first way (perhaps combining it with monitoring of
your users). If it will not work good enough then you will need to do it
properly and restrict your users to only those programs and permissions they
really need (the second way).
