wine users - Jan 2012 - Limiting the execution of Wine to allowed programs

My uncle has these kids who messed up their Windows computer on a monthly basis
by going to unsafe websites.  So I had to fix it for them, multiple times. 
There was a time when I went on strike, but because of the family I was
"forced" into fixing it.  Lots and lots of hours wasted on fixing
their computer problems and still they don't learn their lesson.

So, the past few months I changed them to Kubuntu.  No viruses since and no
reinstalls done for a long while :D  Then a few days ago I found Linux Mint. 
Loved it and am in the process of switching them over.  But there are a few
games that I'd like to get working for them (they are die-hard sonic fans :)
).  No problem since I already got them working.

The issue I have with Wine is that, unlike before or I never noticed, every
executable that Mint sees can be executed.  I don't want that.  Those kids
like to download random executables and install them.

So, if I could prevent wine from running all the exe files except for the three
games that I installed, like have some kind of allow list, then it would be
perfect.  How do I go about doing this?

> My uncle has these kids who messed up their Windows computer on a monthly
basis by going to unsafe websites.  So I had to fix it for them, multiple times.
There was a time when I went on strike, but because of the family I was
"forced" into fixing it.  Lots and lots of hours wasted on fixing
their computer problems and still they don't learn their lesson.
> 
> So, the past few months I changed them to Kubuntu.  No viruses since and no
reinstalls done for a long while :D  Then a few days ago I found Linux Mint. 
Loved it and am in the process of switching them over.  But there are a few
games that I'd like to get working for them (they are die-hard sonic fans :)
).  No problem since I already got them working.
> 
> The issue I have with Wine is that, unlike before or I never noticed, every
executable that Mint sees can be executed.  I don't want that.  Those kids
like to download random executables and install them.
> 
> So, if I could prevent wine from running all the exe files except for the
three games that I installed, like have some kind of allow list, then it would
be perfect.  How do I go about doing this?
> 
Hi!
  I think it might be done by the following trick with file permissions:
  1) Create a special user in the system (say, wine), including its home 
     directory. This directory must be unwritable, but readable/executable
     by other users.
  2) Setuid wine binary to that user
  3) Possibly create a wrapper script which will be started instead of the
     wine binary and it will set proper WINEPREFIX first and then call the
     binary
  4) Install all the wanted binaries to that WINEPREFIX (which will reside
     in the wine home directory)
  5) Manage wine dosdevices to disallow wine to see the root filesystem, let
     it see just its home directory and virtual C: drive
  Because of this setup, the kids will not be able to write to the wine home
directory. The exception is, that wine itself will be allowed to write there
(which is necessary for most windows programs), so be sure that there is no
tool installed in wine which allows to download things (like IE, wget or
similar).
  I hope it will work. I didn't test it, but according to the principles of
Unix permission system, it should be OK.

  Regards, Pavel

Wow, um, I guess I should've mentioned that my linux knowledge is that of a
novice.  I could do step 1, but all those other steps I do not know how to do. 
All I did was add the wine repository to synaptic package manager's list and
chose to install the dev/beta version.

Reading your idea makes sense as only the "Wine" user can directly
modify the directory and as long as you're a different user, you cannot
write to the C: directory thereby preventing any applications from being
installed.

I was thinking something like having Mint not even recognize the .exe extension
by removing the file association, but then how do I get Wine to execute the
three games I've installed?

So what you're saying is that Wine can see beyond the .exe extension and run
the executable for what it is, not by what it's named by.  Doesn't that
kinda defeat the purpose of having file associations?

So I guess my next idea is a bust too.  I was thinking that I should change the
extension of the three games to something like ".lxx" and then have
Wine associated with the .lxx file extension and remove Wine's .exe file
association.  That way when the kids download some exe from the internet and try
to double-click it, they will be given the prompt of which program to run it
with.  At this point they will be confused, since they don't know about
Wine, and give up.  I guess this is a no go then?

I have an idea.

You could install the games for them in a custom WINEPREFIX and of course,
create the proper shortcuts for them.

Then you can break the default WINEPREFIX so when they click an executable it
won't work.

How do I go about doing that?  Could you post the instructions for me?