Hi, could someone please explain how I can get wine to fully mimic Windows behavior and let me bind to privileged Linux ports, most importantly 80 and 843? Thanks for any pointers.
Gert van den Berg
2010-Feb-06 07:39 UTC
[Wine] binding to privileged Linux ports (<= 1024)
On Sat, Feb 6, 2010 at 09:20, mc2718 <wineforum-user at winehq.org> wrote:> Hi, could someone please explain how I can get wine to fully mimic Windows behavior and let me bind to privileged Linux ports, most importantly 80 and 843? Thanks for any pointers. >POSIX Capabilities are the safe way.... Running as root is the easy, but dangerous way... Gert
Gert van den Berg
2010-Feb-06 07:39 UTC
[Wine] Fwd: binding to privileged Linux ports (<= 1024)
---------- Forwarded message ---------- From: Gert van den Berg On Sat, Feb 6, 2010 at 09:20, mc2718 <wineforum-user at winehq.org> wrote:> Hi, could someone please explain how I can get wine to fully mimic Windows behavior and let me bind to privileged Linux ports, most importantly 80 and 843? Thanks for any pointers. >POSIX Capabilities are the safe way.... Running as root is the easy, but dangerous way... Gert
On Sat, 2010-02-06 at 01:20 -0600, mc2718 wrote:> Hi, could someone please explain how I can get wine to fully mimic > Windows behavior and let me bind to privileged Linux ports, most > importantly 80 and 843? Thanks for any pointers. >See CAP_NET_BIND_SERVICE in man 7 capabilities To set the capability, see man 3 cap_set_fd also look up socket(), bind(), listen() Martin
mc2718 There are reasons CAP_NET_BIND_SERVICE is not default for normal users under Linux. 1) Lot of the 1024 and under ports are items that run for a very long time. So should be protected by running as independent users and preferable have a Linux Secuirty Module configured over them. If you need to be going near root or capabilities it a warning sign. 843 is one of the big question marks to me. Seriously why. Only use of that I know of is this http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html Its a native perl or python script. Normally you use the python. Now if something else is using that port there could be big trouble. Even port 80 is question mark.
I have to have this functionality in order to take part in a Flash development project. The project environment is unfortunately not under my control - I need 843 for the Flash policy server and 80 for a local ONLY web server, so that I can run the tools and examples I need to build on. Life is life. Do I set the capability on wine itself? Will the other windows goodies (exe files, etc) then inherit those?
I have done support for over 8 years on wine Martin Gregorie. Unless I stuff up in my advice developers mostly don't chip in. <b>This is the problem you turn CAP_NET_BIND_SERVICE on wine too many thing also get access to that permission. Things you many not want having access to that permission.</b> I should have been more direct. Capabilities set on wine do inherit threw. Wine is coded that way. CAP_NET_BIND_SERVICE is required so a few game servers work from wine. This is only done if there is no native version of that game server as well. Risks are too high to be doing it out of lazyness. Biggest problem with CAP_NET_BIND_SERVICE is that it exists to prevent conflits and secuirty breaches. Like a user running there own dns server and over riding the system dns server so allowing man in middle attack. Basically lot of services using under 1024 are critical services for secuirty. Using capabilities when you should not be opens up whole stack of problems. Number 1 wine does not have user separation so unless you are really really careful items that should not have it get it. Problem here Martin Gregorie what mc2718 is asking todo. Is not safe or highly costly on system resources. There is no valid reason to be doing it. There is a good invalid reason pure lazyness. I don't care if I screw up system I just want it to work now. Basically mc2718 or anyone else us capabilities without valid grounds if your system ends up developing lots of strange problems don't complain to us. You would have brought it on yourself. Its the same policy we have for people running as root without grounds. There are no valid reason ever to run wine as root on Linux. There are some platforms where there is no other option in some case to use root with wine ie no capabilities to hand out permissions. There are some valid reasons to use capabilities with wine on Linux but they are strictly limited. Ie Policy of wine support. You use your alter you OS secuirty without valid reason you are on your own. Beaware everyone wine can run some windows viruses and other harmful programs. If these risks did not exist caps most likely would have been granted off the start line.
Basically Martin we are one of the first cluesticks they run into. Just telling them how to do stuff they will keep on repeating there bad ways. Then come back and blame wine or people giving assistance for destorying there system. Wine does not deserve blame for stupidity. Remember lot of people will not take responsibility for there own actions and seek to blame others. You will learn this after a few years supporting wine. ie Don't give how to alter secuirty until you have check that the user know what they are doing. Sorry if I seam strict. When I was starting out I was more lax and saw wine get blamed for things it should never had been. Like running as root and losing complete OS due to a windows virus running in wine. Those people came back demanding that wine should be more like a virtual machine. Not accepting their stupidity.
mc2718 good secuirty is like a onion. You have layers. Firewall is only one layer. DAC permissions are another. MAC permissions are another. Physical controls are another. At the firewall layer I use single packet port knocking to open the ssh. So it is hidden most of the time. Also the least number of not security layers the better. Ie wine is a non secuirty layer. Always remembering any one layer could fail one day. Each layer reduces the risk or complete failure. Secuirty what got my fear of you mc2718. People from a windows background have the problem of putting too much faith in anti-viruses and firewalls. Where good secuirty from the Unix/Linux world teaches you not to depend on them.
oiaohm wrote:> mc2718 good secuirty is like a onion. You have layers. > > Firewall is only one layer. DAC permissions are another. MAC permissions are another. Physical controls are another. > > At the firewall layer I use single packet port knocking to open the ssh. So it is hidden most of the time. > > Also the least number of not security layers the better. Ie wine is a non secuirty layer. > > Always remembering any one layer could fail one day. Each layer reduces the risk or complete failure. > > Secuirty what got my fear of you mc2718. People from a windows background have the problem of putting too much faith in anti-viruses and firewalls. Where good secuirty from the Unix/Linux world teaches you not to depend on them. > > >Or doing a massive study for the CISSP/IASSP exam. I have to get this to keep my job. In any case, a firewall, with a host based security system can be and is a lot of fun. James McKenzie