Hi all,
There's a problem running wine under the new Ubuntu 10.10 (Maverick). They have enabled kernel security to prevent processes from using ptrace. This affects any wine programs which use ptrace which is surprisingly common. For example I found this bug because PokerStars wouldn't connect to the network.
I have filed this as a bug with Ubuntu, but they might choose not to fix it depending on how committed they are to this new security measure. It is filed as:
https://bugs.launchpad.net/ubuntu/+source/wine1.2/+bug/636278
There is a simple workaround and it is to add the ptrace capability to wineserver using the command:
sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
I tried to submit this as a bug for wine, but it was closed because the maintainer felt there was nothing the wine people could do about the way Ubuntu sets their security. I would like to make the following suggestions:
1. Add a winetricks trick to fix wine on Maverick by executing: "sudo apt-get install setcap; sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver"
2. Add an error message in wine when ptrace fails with error EPERM. This message should suggest the winetrick so the user will find it quickly. In my case it took quite a while to figure out exactly what was going wrong because there is no more terminal output when ptrace fails than when it succeeds.
Another possibility I'd like to suggest for fixing this in wine, though maybe more extreme, is to make wine a setuid program and use setuid in server/ptrace.c
The reason to do this is that there is certain other functionality necessary for implementing the windows API that is almost impossible without setuid. For example the linux program 'ping' needs to be a setuid program. I can't see how you could ever implement the Microsoft ICMP API in wine unless wine has setuid.
On Sun, Sep 12, 2010 at 3:24 AM, Michael Fox 415fox@gmail.com wrote:
Hi all,
There's a problem running wine under the new Ubuntu 10.10 (Maverick). They have enabled kernel security to prevent processes from using ptrace. This affects any wine programs which use ptrace which is surprisingly common. For example I found this bug because PokerStars wouldn't connect to the network.
I have filed this as a bug with Ubuntu, but they might choose not to fix it depending on how committed they are to this new security measure. It is filed as:
https://bugs.launchpad.net/ubuntu/+source/wine1.2/+bug/636278
There is a simple workaround and it is to add the ptrace capability to wineserver using the command:
sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
I tried to submit this as a bug for wine, but it was closed because the maintainer felt there was nothing the wine people could do about the way Ubuntu sets their security. I would like to make the following suggestions:
- Add a winetricks trick to fix wine on Maverick by executing: "sudo
apt-get install setcap; sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver"
- Add an error message in wine when ptrace fails with error EPERM.
This message should suggest the winetrick so the user will find it quickly. In my case it took quite a while to figure out exactly what was going wrong because there is no more terminal output when ptrace fails than when it succeeds.
--
Michael
Eric proposed a solution in this bug: http://bugs.winehq.org/show_bug.cgi?id=24193
J. Leclanche
On Sun, Sep 12, 2010 at 11:35 AM, Michael Fox 415fox@gmail.com wrote:
Another possibility I'd like to suggest for fixing this in wine, though maybe more extreme, is to make wine a setuid program and use setuid in server/ptrace.c
The reason to do this is that there is certain other functionality necessary for implementing the windows API that is almost impossible without setuid. For example the linux program 'ping' needs to be a setuid program. I can't see how you could ever implement the Microsoft ICMP API in wine unless wine has setuid.
On Sun, Sep 12, 2010 at 3:24 AM, Michael Fox 415fox@gmail.com wrote:
Hi all,
There's a problem running wine under the new Ubuntu 10.10 (Maverick). They have enabled kernel security to prevent processes from using ptrace. This affects any wine programs which use ptrace which is surprisingly common. For example I found this bug because PokerStars wouldn't connect to the network.
I have filed this as a bug with Ubuntu, but they might choose not to fix it depending on how committed they are to this new security measure. It is filed as:
https://bugs.launchpad.net/ubuntu/+source/wine1.2/+bug/636278
There is a simple workaround and it is to add the ptrace capability to wineserver using the command:
sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
I tried to submit this as a bug for wine, but it was closed because the maintainer felt there was nothing the wine people could do about the way Ubuntu sets their security. I would like to make the following suggestions:
- Add a winetricks trick to fix wine on Maverick by executing: "sudo
apt-get install setcap; sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver"
- Add an error message in wine when ptrace fails with error EPERM.
This message should suggest the winetrick so the user will find it quickly. In my case it took quite a while to figure out exactly what was going wrong because there is no more terminal output when ptrace fails than when it succeeds.
--
Michael
--
Michael
CAP_NET_RAW should enable ping to work just fine I think. setuid seems a little too dangerous on the current wineserver, we don't do many checks and a few bugs on our side will turn the os into windows, and not in a good way. Better stick to cap's for now while we don't need all the uid 0 features.
Mike.
On Sep 12, 2010 5:24 PM, "Michael Fox" 415fox@gmail.com wrote:
On 09/12/2010 05:57 PM, Mike Kaplinskiy wrote:
CAP_NET_RAW should enable ping to work just fine I think. setuid seems a little too dangerous on the current wineserver, we don't do many checks and a few bugs on our side will turn the os into windows, and not in a good way. Better stick to cap's for now while we don't need all the uid 0 features.
Mike.
Will today's Wine actually make use of CAP_NET_RAW if it has it on Linux?
Perhaps more importantly, could Wine include a "wineping" program that has CAP_NET_RAW so we can get programs that use pings working without letting arbitrary programs craft their own raw sockets?
Thanks, Scott Ritchie
On Sun, Sep 12, 2010 at 10:24 PM, Scott Ritchie scott@open-vote.org wrote:
On 09/12/2010 05:57 PM, Mike Kaplinskiy wrote:
CAP_NET_RAW should enable ping to work just fine I think. setuid seems a little too dangerous on the current wineserver, we don't do many checks and a few bugs on our side will turn the os into windows, and not in a good way. Better stick to cap's for now while we don't need all the uid 0 features.
Mike.
Will today's Wine actually make use of CAP_NET_RAW if it has it on Linux?
Perhaps more importantly, could Wine include a "wineping" program that has CAP_NET_RAW so we can get programs that use pings working without letting arbitrary programs craft their own raw sockets?
Thanks, Scott Ritchie
Unless we decide to change who creates the sockets, the wineserver needs CAP_NET_RAW, not a particular program. We don't take advantage of the caps of the executable (mostly?). It actually wouldn't be too hard to have the app create the socket and not the server.
Mike.
-
Jerome Leclanche -
Michael Fox -
Mike Kaplinskiy -
Scott Ritchie