Hi,
i have some multi user machines, which are installed with Ubuntu 10.04 and Wine.
Wine is only needed for one special Windows application, so the standard users should not be able to install or run any other Windows program on these machines.
What steps are needed for that task?
Cheers,
Andreas
How to avoid users installing any Windows programs
Re: How to avoid users installing any Windows programs
Unless your users prohibited from writing files to the disk you can't do what you want. Wine is a 100% user space application it can do what user can do.and78386 wrote:What steps are needed for that task?
curious users might figure out how to get around this... but you can be a bit more stealthy so its less likely someone can run whatever they want.
make a launcher program called wine that is used to launch the program you want.. that only allows the one you want to be run... anything else will not run. It will launch by using some other file you've somehow hidden as the executable for wine... renaming wine to whatever, maybe a hidden file, or something unsuspecting. If anyone tries the wine command it'll actually be using your custom launcher program instead of the real wine executable. Anyone who finds out what the real wine executable is named will be able to use it though.... unless you purposefully make it where it cannot run because it cannot find its libraries unless its launched a certain way, which you have in your custom launcher program (which can't be a plain text script or they can just read it easy). That can still be figured out by enterprising users if they really want to. I cannot think of any 100% sure way to prevent the "wine" command from being used as it was designed to be used.
make a launcher program called wine that is used to launch the program you want.. that only allows the one you want to be run... anything else will not run. It will launch by using some other file you've somehow hidden as the executable for wine... renaming wine to whatever, maybe a hidden file, or something unsuspecting. If anyone tries the wine command it'll actually be using your custom launcher program instead of the real wine executable. Anyone who finds out what the real wine executable is named will be able to use it though.... unless you purposefully make it where it cannot run because it cannot find its libraries unless its launched a certain way, which you have in your custom launcher program (which can't be a plain text script or they can just read it easy). That can still be figured out by enterprising users if they really want to. I cannot think of any 100% sure way to prevent the "wine" command from being used as it was designed to be used.
So there seems to be no way or rather no easy way to prevent the users to go to download.com to install some crap freeware in Wine?
That's bad because it would annul the whole security concept i've configured for the non-admin users on my machines.
So Wine seems to be no option in secure multiuser environments?
That's bad because it would annul the whole security concept i've configured for the non-admin users on my machines.
So Wine seems to be no option in secure multiuser environments?
No, Wine is not a sandbox: http://wiki.winehq.org/FAQ#head-f566a12 ... 13a773c571 . Use your O/S' abilities to restrict users.and78386 wrote:So Wine seems to be no option in secure multiuser environments?
(Warning this is mostly untested speculation)and78386 wrote:So there seems to be no way or rather no easy way to prevent the users to go to download.com to install some crap freeware in Wine?
That's bad because it would annul the whole security concept i've configured for the non-admin users on my machines.
So Wine seems to be no option in secure multiuser environments?
I take it you want the user frodo to type
windows_app
then run wine, as frodo, running a specific application,
(thus giving the application the same permissions
as frodo) however the user should have no abililty to run any other application.
The simplest way I can think of
to do this is to compile a custom version
of wine that has the application hard coded in. Put this
in /usr/bin, and make it world executable. Thus the executable
(and hence the app) would be run as frodo.
There may be maintenance concerns as a new compile
would be needed with each update.
A second method is to have a wine user, and have
the wine executable owned by wine and not world
executable. There would be a launcher program
to use this. It is not sufficient to make the launcher
program setuid, as then frodo would run the application
as wine. Instead set up the following. The launcher program
forks, process 1 waits on a pipe from process 2. Process
2 does setuid, the copies the wine executable ,
gives the new file world executable perms and
send the name to process 1 and waits a short while.
When it receives the name process 1 execs the copy sending
it the app as argument. Note, that the copy and the app run
as frodo. Process 2 unlinks the copy then exits.
User frodo never has direct access to the wine executable,
even if he learns the name.
This could probably be broken by a knowledgeable and determined
frodo, but it would be easier for frodo to install his own
version of wine in his home directory. Indeed, if frodo is allowed
to download stuff, you are stuck with the security afforded by
the OS. However, under this scenario, frodo cannot corrupt the
wine that most people use.
Big thing here. Wine is not coded for multi user support.
So each user has to have a copy of the program they want to run with more permissions than they need or it will screw up.
At some point someone will put up there hand to do the major recoding job to make wine simpler to wrap in selinux and others to prevent secuirty issues.
Wine should not be seen as a long term tool. It a short term tool.
Lot of Windows programs by nature are insecure. So have you audited the application. Almost ever case I have found the program people wants from windows does not pass basic rules of secuirty. So even if wine worked you would be breaching secuirty ideals running it.
So each user has to have a copy of the program they want to run with more permissions than they need or it will screw up.
At some point someone will put up there hand to do the major recoding job to make wine simpler to wrap in selinux and others to prevent secuirty issues.
Wine should not be seen as a long term tool. It a short term tool.
Lot of Windows programs by nature are insecure. So have you audited the application. Almost ever case I have found the program people wants from windows does not pass basic rules of secuirty. So even if wine worked you would be breaching secuirty ideals running it.
Exactly.williamh wrote:This could probably be broken by a knowledgeable and determined frodo, but it would be easier for frodo to install his own version of wine in his home directory.
All BS of company policies aside, unless OP restricts users from creating any files on hist system it is impossible to make Wine run only "approved" applications. Yes there are ways to "cheat" inexperienced users, but that won't work for power users, who know how to use google and/or can figure out how to compile custom Wine version.
