Sorry for a delay, I was very busy and couldn't find a time to write this
answer sooner.
On 2010-04-12 (April, Monday) 12:43:52 Trohan wrote:
> Well basically, I dont wanna users can't change anything, just use de
> followings programs:
>
> - Dreamweaver
> - Statgraphics
> - Office
> - Derive
>
> They dont need modify the filesystem
Applications like Dreamweaver or Office without possibility to modify the
filesystem can be used only to open files (users will not be able edit or save
anything). Are you sure you really want to block write access for Wine? Please
note that ability to save his/her work does not mean that a user can write
anywhere in the filesystem. Usually with programs you mentioned (which are
supposed to be used to edit and save files) you want to allow user(s) to write
to at least one directory.
> They dont need ... create another prefix of wine
You can add the following line to /etc/zsh/zshenv if your users are using zsh
or to /etc/bash.bashrc:
declare -rx WINEPREFIX=~/.wine
However, this will not stop someone who have understanding of bash or zsh -
such user will bypass this "restriction" in just few seconds (because it isn't
a restriction actually). However it is good to have this line there anyway even
if all your users are smart enough to bypass it - to indicate the user(s) that
trying to change WINEPREFIX is wrong.
> especially playing games, nothing about this.
Let's consider two ways to do what you want:
If your users are not "too advanced" then doing "declare -rx
WINEPREFIX=~/.wine" trick and restricting access to 32-bit OpenGL libraries (or
simply uninstalling those libraries) for your users will prevent them from
running any game that need advanced 2D or 3D graphics with Wine (or any other
32-bit application that needs those libraries).
If this isn't enough (for example you don't want your users to install
anything easily) you can add more restrictions.
Create user and group "wine" and use chown and chgrp to assign wine user and
group using chgrp -R and chown -R to ~/.wine/drive_c of all your users and use
chmod -R go-w to restrict users to add or change files in drive_c.
Here is an example set of commands to achieve everything mentioned above:
if [[ -e /etc/zsh/zshenv ]]; then
{ echo "declare -rx WINEPREFIX=~/.wine" >> /etc/zsh/zshenv }; fi
if [[ -e /etc/bash.bashrc ]]; then
{ echo "declare -rx WINEPREFIX=~/.wine" >> /etc/bash.bashrc }; fi
addgroup --system wine
adduser --system wine --ingroup wine
for i in "myuser1" "myuser2" "myuser3"
{
chown -R wine /home/"$i"/.wine/drive_c
chgrp -R wine /home/"$i"/.wine/drive_c
chmod -R og-w /home/"$i"/.wine/drive_c
rm /home/"$i"/.wine/dosdevices/z:
mkdir /home/"$i"/Wine\ Documents
chown "$i" /home/"$i"/Wine\ Documents
chgrp "$i" /home/"$i"/Wine\ Documents
chmod 770 /home/"$i"/Wine\ Documents
ln -s /home/"$i"/Wine\ Documents /home/"$i"/.wine/dosdevices/x:
}
Of course replace "myuser1" "myuser2" "myuser3" with real user list; all users
should already have ~/.wine with all necessary programs installed.
After above commands each user will be able to write from all Wine programs
only to specifically designated directory ~/"Wine Documents" available as X: to
Windows application under Wine (you can change commands to suite your real
world needs).
Please note that some Windows applications require write access to certain
directories or files. Use chown and chgrp to give back permission to write to
such files and directories to your users (examples are: log files, configuration
files you don't want to freeze, or file/directory that causes error if not
writable).
If your users aren't "too advanced" this method may work very well.
I don't want to describe second way before you say you really requite it.
Also, I must warn you that second way will place restrictions that cannot be
bypassed (at least in theory) only if you will make zero mistakes; this way
will also require from you some advanced knowledge or time to learn it (nothing
very hard, but no simple either). It will take a lot of your time just to put
together white-list of executables your users are allowed to run - both Linux
and windows executables to be 100% sure that users will run only those programs
they are supposed to run.
Actually there is a third way - to monitor your users by recording their
actions for later review (reviewing 8 hours of someones active work is usually
very fast - just few minutes or even seconds if using some kind of automation).
In this case you first warn your users that all their actions are carefully
monitored and recorded including full content of their screen. If your users
can have even small but real problem(s) in case you have 100% proof that they
were doing something that they aren't supposed to do (for example, playing
games) then this method can be very effective; otherwise it's useless. If you
are interested in this way I can give you all you need to quickly set this up.
If you are unfamiliar with this method it may look to you like something
complex or time consuming but it isn't and that's why it can work even if you
have many users.
First and third ways can be combined together for greater effectiveness. My
suggestion: first try the first way (perhaps combining it with monitoring of
your users). If it will not work good enough then you will need to do it
properly and restrict your users to only those programs and permissions they
really need (the second way).
