Setting capabilities for process running under Wine

Open forum for end-user questions about Wine. Before asking questions, check out the Wiki as a first step.
Forum Rules
Locked
DieselMachine
Level 2
Level 2
Posts: 12
Joined: Sun Apr 11, 2010 11:09 am

Setting capabilities for process running under Wine

Post by DieselMachine »

Hi, Wine users.

I'm trying to run my favourite game under Wine but it fails here:
From icmp.c:

Code: Select all

    int sid=socket(AF_INET,SOCK_RAW,IPPROTO_ICMP);
    if (sid < 0) {
        ERR_(winediag)("Failed to use ICMP (network ping), this requires special permissions.\n");
I have read at this forum that the best solution is to assign Wine required capability. I have done this using

Code: Select all

sudo setcap cap_net_raw+epi /usr/bin/wine
As oiaohm written here http://forum.winehq.org/viewtopic.php?t=7588
Capabilities set on wine do inherit threw. Wine is coded that way
But it didn't help me (I don't know why). I'm trying to investigate this problem.

First, I did strace for wine (I have also assigned the same capability for strace) and it showed

Code: Select all

3848  execve("/usr/bin/wine", ["wine", "C:\\Games\\Lineage\\L2.exe"], [/* 27 vars */]) = 0
......
3848  clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7821728) = 3869
......
3869  clone(child_stack=0x2d3f494, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x2d3fbd8, {entry_number:7, base_addr:0x2d3fb70, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}, child_tidptr=0x2d3fbd8) = 3896
......
3896  socket(PF_INET, SOCK_RAW, IPPROTO_ICMP <unfinished ...>
3869  mprotect(0x2050c000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC <unfinished ...>
3896  <... socket resumed> )            = -1 EPERM (Operation not permitted)
3869  <... mprotect resumed> )          = 0
3896  write(2, "err:winediag:IcmpCreateFile Fail"..., 98 <unfinished ...>
Second, I wrote a simple program that starts second thread and creates raw socket and it didn't fail after assigning it the same capability. Here is strace:

Code: Select all

clone(Process 3841 attached
child_stack=0xb77bc494, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0xb77bcbd8, {entry_number:6, base_addr:0xb77bcb70, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}, child_tidptr=0xb77bcbd8) = 3841
.......
[pid  3841] socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = 3
Where is my fault?

Thanks in advance
Top
Thunderbird
Level 5
Level 5
Posts: 336
Joined: Mon Nov 24, 2008 8:10 am

Post by Thunderbird »

You should set this capability on wineserver as that's what is actually creating the sockets.
Top
DieselMachine
Level 2
Level 2
Posts: 12
Joined: Sun Apr 11, 2010 11:09 am

Post by DieselMachine »

Thank you, Thunderbird. But actually my problem solved when I set capabilities on /usr/bin/wine-preloader, not wineserver
Top
minami
Newbie
Newbie
Posts: 1
Joined: Fri Jun 25, 2010 4:57 am

Post by minami »

Thunderbird wrote:You should set this capability on wineserver as that's what is actually creating the sockets.
Thanks, this did the trick for me. (v. 1.1.44)
Top
jeku
Newbie
Newbie
Posts: 1
Joined: Mon Jan 23, 2012 5:11 am

Post by jeku »

Hi, I hope someone can help..
I am running this on a redhat 5 version.
My problem is that I am not able to run the sudo command due to limitations in the company policy....
I got help to do this setcap from a guy who owned the root password.
However after doing the setcap command as root, then wineserver was not able to find the libwine.so.1.
Is there some way around this?

BR
Jan Erik
Top
jjmckenzie
Moderator
Moderator
Posts: 1153
Joined: Wed Apr 27, 2011 11:01 pm

Setting capabilities for process running under Wine

Post by jjmckenzie »

On Mon, Jan 23, 2012 at 3:24 AM, jeku <[email protected]> wrote:
Hi, I hope someone can help..
I am running this on a redhat 5 version.
My problem is that I am not able to run the sudo command due to limitations in the company policy....
This is what you have to do...
I got help to do this setcap from a guy who owned the root password.
However after doing the setcap command as root, then wineserver was not able to find the libwine.so.1.
You broke Wine by running it as root. See the FAQ on how to fix.

James
Top
vitamin
Moderator
Moderator
Posts: 6605
Joined: Sat Feb 23, 2008 2:29 pm

Re: Setting capabilities for process running under Wine

Post by vitamin »

jjmckenzie wrote:You broke Wine by running it as root. See the FAQ on how to fix.
I'm not sure this is the case. Setcaps is not the same as setuid...

Was able to reproduce it here as well. This is actually a known problem: http://bugs.winehq.org/show_bug.cgi?id=26256
Top
jjmckenzie
Moderator
Moderator
Posts: 1153
Joined: Wed Apr 27, 2011 11:01 pm

Setting capabilities for process running under Wine

Post by jjmckenzie »

On Tue, Jan 24, 2012 at 9:50 PM, vitamin <[email protected]> wrote:
jjmckenzie wrote:
You broke Wine by running it as root.  See the FAQ on how to fix.
I'm not sure this is the case. Setcaps is not the same as setuid...
I 'read' that the user used sudo to run the program which should be
the same as running as root. This should not be recommended...

Was able to reproduce it here as well. This is actually a known problem: http://bugs.winehq.org/show_bug.cgi?id=26256
That is good to know.

James
Top
Locked

Return to “Wine Help”