Another possibility I'd like to suggest for fixing this in wine, though maybe more extreme, is to make wine a setuid program and use setuid in server/ptrace.c
The reason to do this is that there is certain other functionality necessary for implementing the windows API that is almost impossible without setuid. For example the linux program 'ping' needs to be a setuid program. I can't see how you could ever implement the Microsoft ICMP API in wine unless wine has setuid.
On Sun, Sep 12, 2010 at 3:24 AM, Michael Fox 415fox@gmail.com wrote:
Hi all,
There's a problem running wine under the new Ubuntu 10.10 (Maverick). They have enabled kernel security to prevent processes from using ptrace. This affects any wine programs which use ptrace which is surprisingly common. For example I found this bug because PokerStars wouldn't connect to the network.
I have filed this as a bug with Ubuntu, but they might choose not to fix it depending on how committed they are to this new security measure. It is filed as:
https://bugs.launchpad.net/ubuntu/+source/wine1.2/+bug/636278
There is a simple workaround and it is to add the ptrace capability to wineserver using the command:
sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
I tried to submit this as a bug for wine, but it was closed because the maintainer felt there was nothing the wine people could do about the way Ubuntu sets their security. I would like to make the following suggestions:
- Add a winetricks trick to fix wine on Maverick by executing: "sudo
apt-get install setcap; sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver"
- Add an error message in wine when ptrace fails with error EPERM.
This message should suggest the winetrick so the user will find it quickly. In my case it took quite a while to figure out exactly what was going wrong because there is no more terminal output when ptrace fails than when it succeeds.
--
Michael