Find the answer to your Linux question:
Results 1 to 7 of 7
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Limit Users wine rights


    Hey all, newbie here. Trying to figure out how to limit user's ability to install new software. I'm using the ubuntu distro.

    Normally I don't have to worry about users without root privileges installing software because that requires a password with root privileges. But I have several windows programs installed on their accounts through wine. So now all they have to do is download (or transfer via flash drive) an exe file and install it on wine. I'm trying to figure out how to let users run certain software on wine, but only that software. Is their any way to block wine from installing new software? Or do you know if I can make a general prohibition on exe files, and whitelist certain applications? Any help (with steps, I'm not the best on the command line) would be great.

  2. #2
    Linux Guru
    Join Date
    Dec 2013
    Posts
    2,747
    and your extensive web searches on the topic have revealed what exactly?

  3. #3
    My google searches for restricting wine rights mostly turned up a lot of stuff about preventing wine or wine applications internet access or preventing users from access to wine altogether. I did find one post about the same issue (ubuntuforums.org/archive/index.php/t-1637907.html) but it doesn't look fully resolved.

    I've used chown and chmod before and know how to set permissions. I know I can chown wine and my whitelist of .exe applications, and give permission to a user to run those applications. The problem I'm seeing is that once he is allowed to use wine to run approved applications, he/she can just transfer a new .exe file (that they have ownership) to the computer and so install pretty much whatever.

    What I need is to give users selective wine permissions that works as a whitelist of permitted .exe applications, that somehow blocks new .exe applications even though the user (not me) may own them. If there is instructions out there on that I didn't find them.

  4. $spacer_open
    $spacer_close
  5. #4

  6. #5
    Ok I ended up spending too much time playing around with it, but I think I figured it out. I read some stuff on various forums that were all talking about editing permissions but it either I didn't understand or it wasn't going to do what I wanted. So I'm posting the process I found in case it will help someone else. There might be some way for an advanced user (read: knows more than me) to break it but I think it should work for me to keep people from loading random software through wine.

    -I installed the windows applications on my whitelist in individual wine prefixes in the users' home directory, not in the .wine directory. Each user owns and has full access to each wine prefix.
    -I took ownership of the .wine directory and removed users permissions completely to the whole directory (chmod -R 700 /home/usr/.wine)
    -I went to /local/share/applications and removed all the duplicates of wine (all of the wine-extension-*.desktop files). Not informed enough about this to understand the reason, but I found you could install an .exe file by opening it with one of the many "a wine application" apps in the dropdown list even with permission removed from the /.wine directory. With all those files removed the only application in the dropdown list is "Wine Windows Program Loader" and trying to run it does nothing, usr has no permission.
    -I created two aliases (alias wine='echo command is prohibited' and alias unalias='echo command is prohibited'). Used permissions to prevent users from editing or deleting the alias file or the bash files that called for the alias file. This should prevent the usr from installing any windows programs through wine via the command line (such as creating and installing under a new prefix to circumvent the lockdown on the .wine directory).

  7. #6
    Linux Guru
    Join Date
    Dec 2013
    Posts
    2,747
    Quote Originally Posted by Capsaicin View Post
    -I took ownership of the .wine directory and removed users permissions completely to the whole directory (chmod -R 700 /home/usr/.wine)
    this is so wrong!

    1. you took ownership? you already ARE the owner of all files in your $HOME!
    2. with that chmod, you did NOT remove your user's permissions at all. You removed group and world permissions. it's somewhat pointless in this particular situation, because everything is only accessible by the current user anyway.
    3 WORST OF ALL: you made each and every file executable! doing that, you actually made matters worse, security- and permissions-wise.

  8. #7
    -->
    Ok see where you're coming from but that's not what I meant. I took ownership of the .wine directory in other (non-sudo) users accounts. So specifically what I did was sudo chown -R myaccount /theirhomedirectory/.wine. And then chmod -R 700 /theirhomedirectory/.wine. But I had already moved the approved programs out of their .wine and into wine prefixes under their home directory. I didn't change ownership or default permissions for these folders.

    The default permmission for all the content in the .wine directory on my personal user account remains unchanged.

    That being said, I see what you are saying and so I will actually go ahead and remove my executable permissions for their .wine directories. Nobody needs it anymore, if I want to give them another windows program I'll just create them another wine prefix in their home directory and install it there.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •