[prev in list] [next in list] [prev in thread] [next in thread]
List: wine-devel
Subject: Re: Wanted: small C program to drop all capabilities
From: Scott Ritchie <scott () open-vote ! org>
Date: 2010-09-29 18:38:09
Message-ID: 4CA38791.2060403 () open-vote ! org
[Download RAW message or body]
On 09/29/2010 07:53 AM, Scott Ritchie wrote:
> On 09/29/2010 07:12 AM, Alexandre Julliard wrote:
>> Scott Ritchie <scott@open-vote.org> writes:
>>
>>> Ubuntu 10.10 is coming out soon, and its new kernel settings prevent
>>> Wine apps from looking at each others' memory. This breaks World of
>>> Warcraft, among other things. See:
>>> http://bugs.winehq.org/show_bug.cgi?id=24193
>>>
>>> What's needed is a very small shim for Wine that can be setuid 0, but
>>> then release all capabilities except what Wine actually needs -- what a
>>> normal user has, and cap_sys_ptrace.
>>
>> I don't think that's a good idea. CAP_SYS_PTRACE allows access to any
>> process, so it's a lot more dangerous than the standard ptrace checks
>> that Ubuntu decided to break. Going back to the default behavior is
>> probably safer than making Wine setuid...
>>
>
> Unfortunately the default behavior can only be set globally, so that
> leaves me with:
>
> 1) make installing the package cause the global change
> 2) the above idea
> 3) do nothing
>
> I'm not sure which is worse, although I know doing nothing breaks a lot
> of apps. The long term solutions are described at the bug however.
>
> It would be rather nice if there were a cap_sys_ptrace that were at
> least restricted to other processes owned by that user...
>
>
Actually there's a 4th option that I hadn't realized: apps can give up
their own ptrace protection. So Wine can do that for all Wine apps.
This should be fairly easy (details at bug report).
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic