Wine and security, keeping viruses contained
-
- Level 1
- Posts: 8
- Joined: Sat May 03, 2008 3:02 am
Wine and security, keeping viruses contained
Hello everybody, I think Wine is a great project. I am still new to linux (running Ubuntu, for that matter) but I have started to delve into rights management and security, so I have a question concerning the setup of Wine: Is it really advisable to link so many of may Linux home folders to the simulated Windows environment? If a windows virus deploys within the simulation and tries to delete *.doc files, for example - a lot of such viruses exist - then it could do so within my home directory on the Linux side, correct?
So I tried to delete all the preconfigured links between Wine/windows-directories and my "home" directory. the relevant lines are just blank now (I use winecfg from my ubuntu/gnome applications menu).
However, when I tried a windows program (old game Jedi Knight 2, btw), it asked whether it should create a link on my desktop. Which I told it to do, believing that the link would end up within home/.wine/drive_c/windows/profiles/... /desktop
Which it did, but it also showed up on my linux desktop (home/.../desktop). So the link is still between windows desktop and linu desktop is still working, right? And what about the other links to my home directories, are they working too?
How can I switch this off, and should I do it? Is this dangerous or not?
So I tried to delete all the preconfigured links between Wine/windows-directories and my "home" directory. the relevant lines are just blank now (I use winecfg from my ubuntu/gnome applications menu).
However, when I tried a windows program (old game Jedi Knight 2, btw), it asked whether it should create a link on my desktop. Which I told it to do, believing that the link would end up within home/.wine/drive_c/windows/profiles/... /desktop
Which it did, but it also showed up on my linux desktop (home/.../desktop). So the link is still between windows desktop and linu desktop is still working, right? And what about the other links to my home directories, are they working too?
How can I switch this off, and should I do it? Is this dangerous or not?
Re: Wine and security, keeping viruses contained
Yes. Anything your user can do Wine can so does any program running on Wine.JerryQuest wrote:Hello everybody, I think Wine is a great project. I am still new to linux (running Ubuntu, for that matter) but I have started to delve into rights management and security, so I have a question concerning the setup of Wine: Is it really advisable to link so many of may Linux home folders to the simulated Windows environment? If a windows virus deploys within the simulation and tries to delete *.doc files, for example - a lot of such viruses exist - then it could do so within my home directory on the Linux side, correct?
You can do that in winecfg by un-checking "link" check-box. And removing mapping for the Z: drive. However this will not stop Wine from accessing the entire disk - everything your user can.JerryQuest wrote:How can I switch this off, and should I do it? Is this dangerous or not?
-
- Level 1
- Posts: 8
- Joined: Sat May 03, 2008 3:02 am
Ok, I understand that Wine itself will still be running with my user rights. But I want to stop the simulated Windows from accessing my personal folders, except the home/user/.wine of course.
I un-checked the check boxes, but why can Windows still place a link to a Windows program on my Linux desktop?
I un-checked the check boxes, but why can Windows still place a link to a Windows program on my Linux desktop?
Because you can.JerryQuest wrote: I un-checked the check boxes, but why can Windows still place a link to a Windows program on my Linux desktop?
The only way I can think of to get the level of security you want would be to create a separate user account solely for running Wine. That account would have access to everything in its own home folder, but not your regular one.
Windows can't - Wine can. I've already told you. Besides Wine can't do nothing if application makes system calls directly bypassing Wine.JerryQuest wrote:I un-checked the check boxes, but why can Windows still place a link to a Windows program on my Linux desktop?
The false sense of security is worse then no security.
Last edited by vitamin on Sun May 04, 2008 2:38 pm, edited 1 time in total.
Wine and security, keeping viruses contained
On Sun, May 4, 2008 at 1:03 PM, vitamin <[email protected]> wrote:
The false sense of security is worse then no security.
[/quote]
It runs with your user rights, you'd need something like Apparmor or
SELinux to accomplish that.
Windows can't - Wine can. I've already told you. Besides Wine can't do nothing if application makes system calls directly bypassing Wine.[quote="JI un-checked the check boxes, but why can Windows still place a link to a Windows program on my Linux desktop?
The false sense of security is worse then no security.
[/quote]
It runs with your user rights, you'd need something like Apparmor or
SELinux to accomplish that.
Wine and security, keeping viruses contained
JerryQuest skrev:
enough about Linux and its desktop standards to directly put a link on
your Linux desktop themselves? No, that's Wine's doing, placing a
converted link on your Linux desktop for your convenience.
Windows can not. Do you really think your Windows applications knowsOk, I understand that Wine itself will still be running with my user rights. But I want to stop the simulated Windows from accessing my personal folders, except the home/user/.wine of course.
I un-checked the check boxes, but why can Windows still place a link to a Windows program on my Linux desktop?
enough about Linux and its desktop standards to directly put a link on
your Linux desktop themselves? No, that's Wine's doing, placing a
converted link on your Linux desktop for your convenience.
-
- Level 1
- Posts: 8
- Joined: Sat May 03, 2008 3:02 am
Exactly what I mean. Wine should not enable the simulated Windows to access my Linux desktop if the respective check-box is NOT activated. This is either a bug or wrong design. Because Windows by itself only tries to access the Windows desktop.
The problem is with Wine transferring this access to the LInux desktop altough it has been explicitely told NOT to. I repeat again: the check-box is unchecked, there should be NO linking of the directories. This is not about user rights, it is about a Wine function gone wild.
Of course, maybe I dont get it right: What does Wine actually do? Does it automatically translate all Windows acess to the Windows desktop to my home/desktop folder? That would be a problem...
Or does it just duplicate all links (*.lnk etc.)? That would be a convenience function and not dangerous, of course.
The problem is with Wine transferring this access to the LInux desktop altough it has been explicitely told NOT to. I repeat again: the check-box is unchecked, there should be NO linking of the directories. This is not about user rights, it is about a Wine function gone wild.
Of course, maybe I dont get it right: What does Wine actually do? Does it automatically translate all Windows acess to the Windows desktop to my home/desktop folder? That would be a problem...
Or does it just duplicate all links (*.lnk etc.)? That would be a convenience function and not dangerous, of course.
Wine and security, keeping viruses contained
JerryQuest skrev:
just stated that Windows DID NOT access your Linux desktop. It was
Wine's doing, spawning a Unix shell script to create a link on your
desktop, for your convenience (or agitation, as it were).
That said, Wine isn't a sandbox, you can't really stop malicious
software from doing anything your user can do, if that software really
wants to break out of the simulated Windows environment.
Was that a reply to my comment? If so, what ARE you talking about? IExactly what I mean. Wine should not enable the simulated Windows to access my Linux desktop if the respective check-box is NOT activated. This is either a bug or wrong design.
just stated that Windows DID NOT access your Linux desktop. It was
Wine's doing, spawning a Unix shell script to create a link on your
desktop, for your convenience (or agitation, as it were).
That said, Wine isn't a sandbox, you can't really stop malicious
software from doing anything your user can do, if that software really
wants to break out of the simulated Windows environment.
-
- Level 1
- Posts: 8
- Joined: Sat May 03, 2008 3:02 am
I think the original issue is that the user is confusing the regular .desktop file with a windows shortcut - these are two completely different things.
Wine with use native linux tools to generate a desktop file, which looks similar to the windows sortcut, but it is most certainly not the windows shortcut.
This should not be a concern, as the generated desktop file is just a regular .desktop used by your linux system and has an exec line with wine and the windows program - that's all. It's not windows accessing your desktop
Cheers.
Wine with use native linux tools to generate a desktop file, which looks similar to the windows sortcut, but it is most certainly not the windows shortcut.
This should not be a concern, as the generated desktop file is just a regular .desktop used by your linux system and has an exec line with wine and the windows program - that's all. It's not windows accessing your desktop
Cheers.
Wine and security, keeping viruses contained
On Sun, May 4, 2008 at 5:14 PM, roderick <[email protected]> wrote:
permissions of the user account it is run as.
True, but wine apps can still access outside files, within theI think the original issue is that the user is confusing the regular .desktop file with a windows shortcut - these are two completely different things.
Wine with use native linux tools to generate a desktop file, which looks similar to the windows sortcut, but it is most certainly not the windows shortcut.
This should not be a concern, as the generated desktop file is just a regular .desktop used by your linux system and has an exec line with wine and the windows program - that's all. It's not windows accessing your desktop
Cheers.
permissions of the user account it is run as.
-
- Level 1
- Posts: 8
- Joined: Sat May 03, 2008 3:02 am