Setting capabilities for process running under Wine

Open forum for end-user questions about Wine. Before asking questions, check out the Wiki as a first step.
Forum Rules
Locked
DieselMachine
Level 2
Level 2
Posts: 12
Joined: Sun Apr 11, 2010 11:09 am

Setting capabilities for process running under Wine

Post by DieselMachine » Sun Apr 25, 2010 1:44 pm

Hi, Wine users.

I'm trying to run my favourite game under Wine but it fails here:
From icmp.c:

Code: Select all

    int sid=socket(AF_INET,SOCK_RAW,IPPROTO_ICMP);
    if (sid < 0) {
        ERR_(winediag)("Failed to use ICMP (network ping), this requires special permissions.\n");
I have read at this forum that the best solution is to assign Wine required capability. I have done this using

Code: Select all

sudo setcap cap_net_raw+epi /usr/bin/wine
As oiaohm written here http://forum.winehq.org/viewtopic.php?t=7588
Capabilities set on wine do inherit threw. Wine is coded that way
But it didn't help me (I don't know why). I'm trying to investigate this problem.

First, I did strace for wine (I have also assigned the same capability for strace) and it showed

Code: Select all

3848  execve("/usr/bin/wine", ["wine", "C:\\Games\\Lineage\\L2.exe"], [/* 27 vars */]) = 0
......
3848  clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7821728) = 3869
......
3869  clone(child_stack=0x2d3f494, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x2d3fbd8, {entry_number:7, base_addr:0x2d3fb70, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}, child_tidptr=0x2d3fbd8) = 3896
......
3896  socket(PF_INET, SOCK_RAW, IPPROTO_ICMP <unfinished ...>
3869  mprotect(0x2050c000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC <unfinished ...>
3896  <... socket resumed> )            = -1 EPERM (Operation not permitted)
3869  <... mprotect resumed> )          = 0
3896  write(2, "err:winediag:IcmpCreateFile Fail"..., 98 <unfinished ...>
Second, I wrote a simple program that starts second thread and creates raw socket and it didn't fail after assigning it the same capability. Here is strace:

Code: Select all

clone(Process 3841 attached
child_stack=0xb77bc494, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0xb77bcbd8, {entry_number:6, base_addr:0xb77bcb70, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}, child_tidptr=0xb77bcbd8) = 3841
.......
[pid  3841] socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = 3
Where is my fault?

Thanks in advance

Thunderbird
Level 5
Level 5
Posts: 336
Joined: Mon Nov 24, 2008 8:10 am

Post by Thunderbird » Mon Apr 26, 2010 1:41 am

You should set this capability on wineserver as that's what is actually creating the sockets.

DieselMachine
Level 2
Level 2
Posts: 12
Joined: Sun Apr 11, 2010 11:09 am

Post by DieselMachine » Mon Apr 26, 2010 1:23 pm

Thank you, Thunderbird. But actually my problem solved when I set capabilities on /usr/bin/wine-preloader, not wineserver

minami
Newbie
Newbie
Posts: 1
Joined: Fri Jun 25, 2010 4:57 am

Post by minami » Fri Jun 25, 2010 5:01 am

Thunderbird wrote:You should set this capability on wineserver as that's what is actually creating the sockets.
Thanks, this did the trick for me. (v. 1.1.44)

jeku
Newbie
Newbie
Posts: 1
Joined: Mon Jan 23, 2012 5:11 am

Post by jeku » Mon Jan 23, 2012 5:24 am

Hi, I hope someone can help..
I am running this on a redhat 5 version.
My problem is that I am not able to run the sudo command due to limitations in the company policy....
I got help to do this setcap from a guy who owned the root password.
However after doing the setcap command as root, then wineserver was not able to find the libwine.so.1.
Is there some way around this?

BR
Jan Erik

jjmckenzie
Moderator
Moderator
Posts: 1153
Joined: Wed Apr 27, 2011 11:01 pm

Setting capabilities for process running under Wine

Post by jjmckenzie » Mon Jan 23, 2012 11:43 am

On Mon, Jan 23, 2012 at 3:24 AM, jeku <wineforum-user@winehq.org> wrote:
Hi, I hope someone can help..
I am running this on a redhat 5 version.
My problem is that I am not able to run the sudo command due to limitations in the company policy....
This is what you have to do...
I got help to do this setcap from a guy who owned the root password.
However after doing the setcap command as root, then wineserver was not able to find the libwine.so.1.
You broke Wine by running it as root. See the FAQ on how to fix.

James

vitamin
Moderator
Moderator
Posts: 6605
Joined: Sat Feb 23, 2008 2:29 pm

Re: Setting capabilities for process running under Wine

Post by vitamin » Tue Jan 24, 2012 11:50 pm

jjmckenzie wrote:You broke Wine by running it as root. See the FAQ on how to fix.
I'm not sure this is the case. Setcaps is not the same as setuid...

Was able to reproduce it here as well. This is actually a known problem: http://bugs.winehq.org/show_bug.cgi?id=26256

jjmckenzie
Moderator
Moderator
Posts: 1153
Joined: Wed Apr 27, 2011 11:01 pm

Setting capabilities for process running under Wine

Post by jjmckenzie » Wed Jan 25, 2012 10:53 am

On Tue, Jan 24, 2012 at 9:50 PM, vitamin <wineforum-user@winehq.org> wrote:
jjmckenzie wrote:
You broke Wine by running it as root.  See the FAQ on how to fix.
I'm not sure this is the case. Setcaps is not the same as setuid...
I 'read' that the user used sudo to run the program which should be
the same as running as root. This should not be recommended...

Was able to reproduce it here as well. This is actually a known problem: http://bugs.winehq.org/show_bug.cgi?id=26256
That is good to know.

James

Locked