wine users - Aug 2010 - [Wine 1.3] Access to "/" for Windows Applications

Hi,

Wine is a great tool, especially for newbies like me that switched from windows
to linux.

But there something, I really don't understand. When I configure Wine I can
link pathes to "windows drives". I deleted "Z:", I deleted
the links to desktop and so on. But every native windows application is able to
see the hole linux path structure (which is naturally windows unlike). It's
right - it's not possible to open any file, BUT I can rename or delete any
file ...

If WINE is no Emulator but a compatibility layer - what is said against
disabling access to any path / file structure out of the configured pathes ? It
is even possible to deny access to different pathes in windows itself by
catching the file access routines - more than ever it should be possible when
writing wrappers / mappers to linux kernel functions, am I right ?

So long

LastCoder

This is probably how the file selector is made. The thing is - Wine's file
selector will be able to access these files, but your application wouldn't
actually be able to see or use any of these.

Since you removed Z:, You shouldn't be able to select one of these files and
then open or save it under that name. If you can, then we have a problem.

.. it's okay if WINE is no sandbox, a sandbox is more than special file
handling ..

.. but from the technical & practical point of view I just don't see any
reason why WINE has to give windows applications access to pathes or file
structures out of the configured Drives. In former DOS times you hooked INT 13h
and INT 21h, in windows you have to gain control of win32 file functions (which
is basic knowledge of every better-than-scripptkidies-malware author ..) ... you
guys managed to map the whole absolutely ugly windows stuff to kernel functions
and want to tell me that this impossible ???

So long

LastCoder

First off, "winetricks sandbox" almost does what you want,
except that "wineboot" (or installing ie6, or anything else that
reboots
windows) will undo the sandboxing (there might be a wine bug there),
and that malicious code can very easily escape (e.g. by running native
linux code).

If you want a somewhat more secure sandbox, you could try to run wine
in a chroot jail.  This is annoying but might be worth the trouble for a few
users.  If you really want this right now, see
http://media.codeweavers.com/pub/crossover/case_studies/WineAndSecurity.pdf
which says CrossOver already supports this.