http://appdb.winehq.org/objectManager.php?sClass=version&iId=17231 Says I need root to get this app to run. Everywhere else says root will murderdeathkill your whole family. Can someone explain to me the right way to get this app to run without being a terrorist? The whole point of this computer is to run that app. I installed it normally and it opens but ya, as stated in the link above. It cannot ping anything.
Sorry to say needing to run as root in this case is secuirty incompetence. First thing you have to be aware of is that Root user does not exist. Yes you can see it but really from the Linux Kernel point of view it don't exist. What the Linux kernel sees is a user granted all capabilities that happens to be userid 0 that is root. http://linux.die.net/man/7/capabilities Each of the capabilities can grant to a program a small fragment of the power root has. Now to use this. I use setcap program to assign capabilities flags to binaries. Under debain this tool is hidden way in libcap2-bin. Little guide to using http://lwn.net/Articles/313047/ Now older command to do the same job was setfcaps don't try using the next lot to solve problem as such but its contains good instructions when you update setfcaps instructions to setcap instructions to find out what caps an application really required. http://www.ibm.com/developerworks/library/l-posixcap.html Be aware there is even a capabilities flag to lie to application that it is userid 0. There are very few if any programs that should be running as root on a Linux system.
What the Linux kernel sees is a user granted all capabilities that happens to be userid 0 that is root. Little error here. Linux kernel does not know that userid 0 is root. Its the password file that gives userid 0 the root name. If you want to you can change the default number for the default user in the Linux kernel to something other than 0. Yes it would confuse some applications badly. Nothing kernel side demards user 0 be all powerful.
On Fri, Nov 20, 2009 at 6:21 AM, Skaught <wineforum-user at winehq.org> wrote:> http://appdb.winehq.org/objectManager.php?sClass=version&iId=17231 > > Says I need root to get this app to run. > > Everywhere else says root will murderdeathkill your whole family. > > Can someone explain to me the right way to get this app to run without > being a terrorist? > > The whole point of this computer is to run that app. > > I installed it normally and it opens but ya, as stated in the link above. > It cannot ping anything. > > > > That is because you need to be root in order to craft ICMP packets. That'swhy even the native 'ping' command is setuid root: ls -la `which ping` -rwsr-xr-x 1 root root 35600 2009-05-11 18:43 /bin/ping I am not sure what is the best solution in your case. --Stephen programmer, n: A red eyed, mumbling mammal capable of conversing with inanimate monsters. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.winehq.org/pipermail/wine-users/attachments/20091120/ea99a04b/attachment.htm>
Stephen Eilert said:> >On Fri, Nov 20, 2009 at 6:21 AM, Skaught <wineforum-user at winehq.org> wrote: > >> http://appdb.winehq.org/objectManager.php?sClass=version&iId=17231 >> >> Says I need root to get this app to run. >> >> Everywhere else says root will murderdeathkill your whole family. >> >> Can someone explain to me the right way to get this app to run without >> being a terrorist? >> >> The whole point of this computer is to run that app. >> >> I installed it normally and it opens but ya, as stated in the link above. >> It cannot ping anything. >> >> >> >> That is because you need to be root in order to craft ICMP packets. That's >why even the native 'ping' command is setuid root: > >ls -la `which ping` >-rwsr-xr-x 1 root root 35600 2009-05-11 18:43 /bin/ping >Ping will run as an ordinary user. However, any program that needs/requires/desires to access a TCP/UDP port less than 1024, normally has to be run as root. There are methods to remove this restriction and they can be googled/binged for. The Applications database is correct in that this, and other, programs have to be run as root. You just need to be VERY CAREFUL when doing so. If you 'accidentally' pick up a virus that is designed to wipe your hard drive, as an ordinary user, it may cause some damage. As root (or any user that is in group id 0), more damage MAY occur. You can do things like rm -rf * as root that will completely wipe your hard drive clean. Those are two of the dangers, there are more. So, you have to be CAREFUL and be aware of the possibilities. If you are paranoid (and you should be) do an image backup of your system and then try the program. James McKenzie
James Mckenzie and Stephen Eilert Read what I posted. Distributions are lazy that simple. There is no need for ping to have a setuid bit. Ping is not wine. Ping has limited function so limited risk. Wine has the means to do anything. Appdb is wrong for Linux systems. Only reason for needing root is not knowing about capabilities. Now also beware capabilities is only 1 form of control. You will find distributions who have ping as setuid root will have the likes of selinux or apparmor or some other LSM taking away the excess power so limiting the access ping has. Basically running as root not wise. setuid wine with LSM around it kinda ok at least damage is limited. capabilities neater avoid giving the unrequited permissions in the first place so not needing LSM wrapper to keep it way from system core. Also setuid can app can have subtractive capabilities applied. getcap on file will show these. Its distribution selection if they use LSM or capabilities. CAP_NET_ADMIN gives all the network powers of root. None of the file-system powers of root. CAP_NET_RAW is used for ping since its a raw packet CAP_NET_BIND_SERVICE allows under 1024 port binding. Simple fact James McKenzie the documenation covering the secuirty is also in the Linux kernel source. That no one bothers reading. Including you. Why bother doing a system backup when simply understanding what is there removes most of the risk. Google or binging for the solution required you to know that you are looking for capabilities or LSM controls. capabilities are very straight forward. The appdb is badly wrong. The risks far out way any benefit. setcap is not that big of a orge to use compared to the risks. http://wiki.winehq.org/FAQ#head-96bebfa287b4288974de0df23351f278b0d41014 To top it off its in the faq people fail to read redirecting you to the capabilities option. There are other containment options for FreeBSD and Solarias.
Truth is, even if I wanted to run it as root I would not have the first idea of how. What is? setuid bit appdb selinux apparmor LSM .getcap CAP_NET_ADMIN setcap At various points ppl have said how straightforward it is. All I have seen is jargon and disagreement. Am I out of line in trying to run a little program on Ubuntu without having spent the last 5 years of my life sequestered in my basement reading source code and faqs? I googled lots of things over several hours relating to my issue and found no docs or guides on how to run ping plotter on wine.
What exactly is so risky about giving root to the only app that ever runs on the system? Everyone talks about viruses but how can a machine get a virus if it is just used to run pings. Plus if it got infected I would just format the HDD and reload it. There is nothing of value on the system. I understand the risk of a zombie (I work at an ISP) but since this machine is on a private network and firewalled bigtime the damage would be very limited if any at all. I suppose it could try to DOS some routers (it pings routers) but it lacks Internet access as it is on our admin network. Really though I do not care if it has root, I just need to know what buttons I press to allow the program to ping things. I suppose I could load a windows VM but that kinda defeats the purpose of having linux on the system in first place.
Ok Skaught, the simplest solution in your case is to simply install and run your appplication as root. It isn't more dangerous than running an application under XP, where you are more or less admin, too. If you trust the author/web page of that program, that the application is free from malware and virusses, than there's no problem. The chance that some strange bug in wine might accidentally wipe you hard disk, is astronomically low, as long as you are not trying to use windows defrag tools etc. Of course you should be careful with operations like deleting files, that would be as dangerous as in XP, but there's no need to panic. the second best solution may be to "cd" as root into the directory, where the ping executable lies, "chmod +s ping". That risk is also limited, if somebody hacked your linux, then the fact that the intruder will be able to ping as root will not really worsen your situation anymore.
What does your program do? If its just ping, use the ping command. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.winehq.org/pipermail/wine-users/attachments/20091121/b8e15e6d/attachment.htm>
Morten Kleven ping plotter is very good graphics ping and traceroute combind with graphics and continual data collecting. The clash is ping it muli instances send same ping numbers so it screws up badly. Person really need to look for tools that suit the task instead of hacking a tool that does not suit to do job.
what about cacti? Is that some-what the same oor sufficient for your needs sry about bad english and bad competence in the area -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.winehq.org/pipermail/wine-users/attachments/20091121/96776b06/attachment.htm>
Morten Kleven wrote:> What does your program do? If its just ping, use the ping command. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://www.winehq.org/pipermail/wine-users/attachments/20091121/b8e15e6d/attachment.htm>"if you just need to deliver packages, use a bicycle, who needs a truck" Ya, try telling that to UPS :) Ping plotter allows us to ping every host along a path continuously. And then graph it nicely in a way that Our NOC techs can recognize easily. If a Client calls in sayign that Internet drops every day at random times, we run ping plotter against their IP. IF there is a problem, ping plotter will show it and tell us when it happened. We also know immediately where it happened along the chain. If someone wrote a program that continuously ran a trace route over and over to specific host and then pinged each host on the path and then compiled the data into graphs that would be what ping plotter does. We have other tools that monitor client connections but they only check every 60 seconds. Fine for most people but if we have a specific intermittent issue we use ping plotter to track it down. It is great for clients who complain about say VOIP or RDP problems. If they are doing RDP to another ISP we can run it over the entire path and find out (usually) that it is the other ISP and then tell the other ISP where and when in their network they are getting latency spikes.