On Sat, 2010-11-06 at 05:57 -0500, and78386 wrote: > So there seems to be no way or rather no easy way to prevent the users to go to download.com to install some crap freeware in Wine? > > That's bad because it would annul the whole security concept i've configured for the non-admin users on my machines. > > So Wine seems to be no option in secure multiuser environments? > How about this? It requires a little programming but that can be done in almost any language: C, Java, Perl or Python: - move the wine executable to a different directory. Lets call it /var/lib/.wine so the wine executable's path is /var/lib/.wine/wine and, because of the dot, this won't appear in normal directory listings - write a program called wine and put it in /usr/bin in place of the original wine. This program will accept the usual wine command line arguments and pass them to /var/lib/.wine/wine for execution along with the environment variable set. However, before doing that it checks the first argument (the program name) to see if its been authorised. To do this to check authorisation: 1) if the program name contains slashes or back slashes discard everything up to and including the last slash or backslash, i.e. .wine/drive_c/Program Files/Myapp/app.exe and c:\Program Files\Myapp\app.exe would both convert to app.exe 2) if the program name doesn't have an extension, add .exe 3) look this up in the authorised programs list, say /var/lib/.wine/authorised.txt If the program isn't authorised tell the user that it won't be run and that the administrator will be informed. Send an e-mail to the administrator reporting the full program name and who was trying it on. ===== Another idea is to run a shell script under root every hour to scan the /home and /tmp directories, as well as any other places that your users have write access to, for unauthorised programs. If any are found the script can e-mail details to the administrator and/or delete the programs. This could be written as a shell script and dropped into the cron.hourly job. I'd use either find and awk to do the scan or simply write the lot in Perl or Python. If you go with the first idea this would be a backup and would use the same authorised program list. Otherwise its list can simply be put in /usr/local/etc and, if it is owned by root and only root has read and write access a miscreant can't alter or inspect it. Same goes for the cron script. Martin