I tried to update the Ocean application as outlined in bug 8332 and got a message from the console stating I needed to be running as root for ICMP to work. I thought wine was not to be run as root, is this not correct?
int sid=socket(AF_INET,SOCK_RAW,IPPROTO_ICMP); if (sid < 0) { MESSAGE("WARNING: Trying to use ICMP (network ping) will fail unless running as root\n"); SetLastError(ERROR_ACCESS_DENIED); return INVALID_HANDLE_VALUE; }
_________________________________________________________________ Peek-a-boo FREE Tricks & Treats for You! http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us
EA Durbin wrote:
I tried to update the Ocean application as outlined in bug 8332 and got a message from the console stating I needed to be running as root for ICMP to work. I thought wine was not to be run as root, is this not correct?
int sid=socket(AF_INET,SOCK_RAW,IPPROTO_ICMP); if (sid < 0) { MESSAGE("WARNING: Trying to use ICMP (network ping) will fail unless running as root\n"); SetLastError(ERROR_ACCESS_DENIED); return INVALID_HANDLE_VALUE; }
It's not the ICMP you need to look at but "SOCK_RAW". This is not supported for regular users, only superuser.
Vitaliy.
I thought wine was not to be run as root, is this not correct?
It's not the ICMP you need to look at but "SOCK_RAW". This is not supported for regular users, only superuser.
So to be clear: we strongly recommend against running Wine as root. But you sometimes need to run Wine as root in order to do certain things on Linux, e.g. open raw sockets. The solution: don't run applications that want to do those things, or take it up with the Linux kernel developers.
--Juan
----------------------------------------> Date: Sun, 21 Oct 2007 14:05:15 -0700> From: juan.lang@gmail.com> To: ead1234@hotmail.com> Subject: Re: icmp states I need to be running wine as root> CC: wine-devel@winehq.org>>>> I thought wine was not to be run as root, is this not correct?>> It's not the ICMP you need to look at but "SOCK_RAW". This is not supported>> for regular users, only superuser.>> So to be clear: we strongly recommend against running Wine as root.> But you sometimes need to run Wine as root in order to do certain> things on Linux, e.g. open raw sockets. The solution: don't run> applications that want to do those things, or take it up with the> Linux kernel developers.>> --Juan
I can ping in linux without being a superuser? Isn't there another way to do this than with SOCK_RAW, or having to run wine as root? _________________________________________________________________ Peek-a-boo FREE Tricks & Treats for You! http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us
I can ping in linux without being a superuser? Isn't there another way to do this than with SOCK_RAW, or having to run wine as root?
I think you mean the first sentence as a statement, not a question. And yes you can, sort of: the ping executable is suid root. It runs as root, regardless of whether you are.
In answer to your second question: yes, modify the Linux kernel not to have such restrictions.
--Juan
----------------------------------------> Date: Sun, 21 Oct 2007 14:26:58 -0700> From: juan.lang@gmail.com> To: ead1234@hotmail.com> Subject: Re: icmp states I need to be running wine as root> CC: wine-devel@winehq.org>>> I can ping in linux without being a superuser? Isn't there another way to do this than with SOCK_RAW, or having to run wine as root?>> I think you mean the first sentence as a statement, not a question.> And yes you can, sort of: the ping executable is suid root. It runs> as root, regardless of whether you are.
Why can't the ping request be forwarded to the linux ping executable that I have the ability to run rather than trying to open a new raw socket which I don't have permission to do?
_________________________________________________________________ Windows Live Hotmail and Microsoft Office Outlook – together at last. Get it now. http://office.microsoft.com/en-us/outlook/HA102225181033.aspx?pid=CL10062697...
Why can't the ping request be forwarded to the linux ping executable that I have the ability to run rather than trying to open a new raw socket which I don't have permission to do?
Patches always welcome. --Juan
* On Sun, 21 Oct 2007, Juan Lang wrote:
Isn't there another way to do this than with SOCK_RAW, or having to run wine as root?
In answer to your second question: yes, modify the Linux kernel not to have such restrictions.
Well, there are already patches which modifies it in one way or another. I refer to "man 7 capabilities" or web resources [1]-[3]. Some of approaches may be abandoned already, but I see recent discussion [4] on this and by [5] I judge SELinux already can handle this task.
Plus, I have found some recently updated tool called "Filesystem capabilities for linux" which also is not POSIX compatible (and so were old capabilities implementation for linux kernel):
| With this patch, you will be able to grant selective privileges to | executables on a needed basis. This means for some executables, there is | no need anymore to run as root or as a suid root binary. | | For example, you may drop the SUID bit from ping and grant the | CAP_NET_RAW capability: | | # chmod u-s /bin/ping | # chcap cap_net_raw=ep /bin/ping
If this is acceptable solution, then it probably would be nice for Wine to have separate binary for every needed capability. CAP_NET_RAW (for ICMP), CAP_SYS_RAWIO (for IO ports) and CAP_SYS_NICE (for threads priority) comes to mind.
This plan is to don't force users to give the bunch of capabilities to the main Wine binary (or even several of them) at once (so the security risk should be increased in a minimal way). But well, that could be a minor nuance for such users.
[1] http://www.securityfocus.com/infocus/1400 [2] http://lwn.net/Articles/79185/ [3] http://lwn.net/Articles/199004/ [4] http://lkml.org/lkml/2006/9/18/100 [5] http://lwn.net/Articles/79208/ [6] http://www.olafdietsche.de/linux/capability/
"EA" == EA Durbin ead1234@hotmail.com writes:
... EA> I can ping in linux without being a superuser? Isn't there another EA> way to do this than with SOCK_RAW, or having to run wine as root?
ls -l /bin/ping
-rwsr-xr-x 1 root root 39496 25. Nov 2006 /bin/ping
ping is suid root. Can we perhaps translate a lot of icmp.dll calls via ping?
-
EA Durbin -
Juan Lang -
Saulius Krasuckas -
Uwe Bonnes -
Vitaliy Margolen