On Sat, 2010-02-06 at 19:18 -0600, oiaohm wrote: > This is the problem you turn CAP_NET_BIND_SERVICE on wine too many > thing also get access to that permission. Things you many not want > having access to that permission. > Agreed. > I should have been more direct. Capabilities set on wine do inherit > threw. Wine is coded that way. > That's good to know. Thanks. > CAP_NET_BIND_SERVICE is required so a few game servers work from > wine. This is only done if there is no native version of that game > server as well. Risks are too high to be doing it out of lazyness. > Agreed again, but its probably better than running the app as root or giving it superuser privileges. > Biggest problem with CAP_NET_BIND_SERVICE is that it exists to prevent > conflits and secuirty breaches. Like a user running there own dns > server and over riding the system dns server so allowing man in middle > attack. Basically lot of services using under 1024 are critical > services for secuirty. > No argument here. I'd normally run that type of process as a daemon and it WOULD NOT be running under Wine. If I *had* to give that sort of access to a Wine app I'd probably leave it in userland and make it use a proxy daemon. > Problem here Martin Gregorie what mc2718 is asking todo. Is not safe > or highly costly on system resources. There is no valid reason to be > doing it. > Agreed again, but if somebody wants to stuff up his own system thats his problem. He should know what he is doing before he tries any of these tricks; if he doesn't understand the issues but tries it anyway then he deserves all the grief he'll get. That is why I merely listed manpages to read and did not say anything about how to use the functions they describe. If the OP doesn't read them and think about what he's read he is unlikely to make anything work, and if he does read up on these functions and doesn't think about the problems and security holes he may cause then if bad things happen he has only himself to blame. If he does this to anybody else's equipment then his liability insurance cover had better be sufficient and the premium fully paid up. > Basically mc2718 or anyone else us capabilities without valid grounds > if your system ends up developing lots of strange problems don't > complain to us. You would have brought it on yourself. > Quite. > Its the same policy we have for people running as root without > grounds. There are no valid reason ever to run wine as root on Linux. > Unfortunately Windows NT onwards has such laughable and misdesigned "security features", including the ability to let the lazy-minded give ordinary users System Administrator capability, that people think super user restrictions are only there to annoy them. All too many people need a severe thrashing with a cluestick if they are ever to unlearn these habits. Martin
