Pavel Troller wrote: > > > My uncle has these kids who messed up their Windows computer on a monthly basis by going to unsafe websites. So I had to fix it for them, multiple times. There was a time when I went on strike, but because of the family I was "forced" into fixing it. Lots and lots of hours wasted on fixing their computer problems and still they don't learn their lesson. > > > > So, the past few months I changed them to Kubuntu. No viruses since and no reinstalls done for a long while :D Then a few days ago I found Linux Mint. Loved it and am in the process of switching them over. But there are a few games that I'd like to get working for them (they are die-hard sonic fans :) ). No problem since I already got them working. > > > > The issue I have with Wine is that, unlike before or I never noticed, every executable that Mint sees can be executed. I don't want that. Those kids like to download random executables and install them. > > > > So, if I could prevent wine from running all the exe files except for the three games that I installed, like have some kind of allow list, then it would be perfect. How do I go about doing this? > > > > > Hi! > I think it might be done by the following trick with file permissions: > 1) Create a special user in the system (say, wine), including its home > directory. This directory must be unwritable, but readable/executable > by other users. > 2) Setuid wine binary to that user > 3) Possibly create a wrapper script which will be started instead of the > wine binary and it will set proper WINEPREFIX first and then call the > binary > 4) Install all the wanted binaries to that WINEPREFIX (which will reside > in the wine home directory) > 5) Manage wine dosdevices to disallow wine to see the root filesystem, let > it see just its home directory and virtual C: drive > Because of this setup, the kids will not be able to write to the wine home > directory. The exception is, that wine itself will be allowed to write there > (which is necessary for most windows programs), so be sure that there is no > tool installed in wine which allows to download things (like IE, wget or > similar). > I hope it will work. I didn't test it, but according to the principles of > Unix permission system, it should be OK. > > Regards, Pavel I was not having any idea about this. You really have great tricks. Thanks for sharing these here. __________________________ iPhone apps development (http://smartphonesoftwareinc.com/iphone-application-development.html)
