Hi, I would like to please call for attention on bug https://bugs.winehq.org/show_bug.cgi?id=39884
As far as I understand there are only benefits to users if we allow .exe files to run through binfmt, would it pose any kind of problem to add this configuration to our packages?
Best wishes, Bruno
On Sat, Jul 23, 2016 at 1:57 AM, Bruno Jesus 00cpxxx@gmail.com wrote:
Hi, I would like to please call for attention on bug https://bugs.winehq.org/show_bug.cgi?id=39884
As far as I understand there are only benefits to users if we allow .exe files to run through binfmt, would it pose any kind of problem to add this configuration to our packages?
It looks like nobody think it is a problem so I'll ask it to be added in order to resolve the bug.
On Mon, Aug 22, 2016 at 12:24:29AM -0300, Bruno Jesus wrote:
On Sat, Jul 23, 2016 at 1:57 AM, Bruno Jesus 00cpxxx@gmail.com wrote:
Hi, I would like to please call for attention on bug https://bugs.winehq.org/show_bug.cgi?id=39884
As far as I understand there are only benefits to users if we allow .exe files to run through binfmt, would it pose any kind of problem to add this configuration to our packages?
It looks like nobody think it is a problem so I'll ask it to be added in order to resolve the bug.
Hmm, forgot to answer ...
Do you have a way to handle DOS exe and also C# exe files?
Ciao, Marcus
On Mon, Aug 22, 2016 at 1:18 AM, Marcus Meissner marcus@jet.franken.de wrote:
On Mon, Aug 22, 2016 at 12:24:29AM -0300, Bruno Jesus wrote:
On Sat, Jul 23, 2016 at 1:57 AM, Bruno Jesus 00cpxxx@gmail.com wrote:
Hi, I would like to please call for attention on bug https://bugs.winehq.org/show_bug.cgi?id=39884
As far as I understand there are only benefits to users if we allow .exe files to run through binfmt, would it pose any kind of problem to add this configuration to our packages?
It looks like nobody think it is a problem so I'll ask it to be added in order to resolve the bug.
Hmm, forgot to answer ...
No problem, I'm trying to start a discussion about this.
Do you have a way to handle DOS exe and also C# exe files?
No idea, I just found [1] which seems to talk about getting Mono exe files to run. [1] http://www.mono-project.com/archived/guiderunning_mono_applications/
On Mon, 22 Aug 2016 00:24:29 -0300 Bruno Jesus 00cpxxx@gmail.com wrote:
On Sat, Jul 23, 2016 at 1:57 AM, Bruno Jesus 00cpxxx@gmail.com wrote:
Hi, I would like to please call for attention on bug https://bugs.winehq.org/show_bug.cgi?id=39884
As far as I understand there are only benefits to users if we allow .exe files to run through binfmt, would it pose any kind of problem to add this configuration to our packages?
It looks like nobody think it is a problem so I'll ask it to be added in order to resolve the bug.
What are the security implications? Won't this make it easier for malware to execute without being Wine-aware, or am I just being paranoid?
On 22.08.2016 15:14, Rosanne DiMesio wrote:
On Mon, 22 Aug 2016 00:24:29 -0300 Bruno Jesus 00cpxxx@gmail.com wrote:
On Sat, Jul 23, 2016 at 1:57 AM, Bruno Jesus 00cpxxx@gmail.com wrote:
Hi, I would like to please call for attention on bug https://bugs.winehq.org/show_bug.cgi?id=39884
As far as I understand there are only benefits to users if we allow .exe files to run through binfmt, would it pose any kind of problem to add this configuration to our packages?
It looks like nobody think it is a problem so I'll ask it to be added in order to resolve the bug.
What are the security implications? Won't this make it easier for malware to execute without being Wine-aware, or am I just being paranoid?
We don't enable binfmt in Debian for exactly this reason (see https://bugs.debian.org/819255). So I'd also be interested in other opinions.
E.g. above mentioned bug already states: "[binfmt] is also helpful for security because it allows each Windows program to be run with different AppArmor profile." However this doesn't require automatically enabled binfmt support, just the possibility to do so.
Greets jre
On Mon, 22 Aug 2016 15:28:39 +0200 Jens Reyer jre.winesim@gmail.com wrote:
What are the security implications? Won't this make it easier for malware to execute without being Wine-aware, or am I just being paranoid?
We don't enable binfmt in Debian for exactly this reason (see https://bugs.debian.org/819255). So I'd also be interested in other opinions.
It's good to know I'm not just imagining things. :-)
E.g. above mentioned bug already states: "[binfmt] is also helpful for security because it allows each Windows program to be run with different AppArmor profile." However this doesn't require automatically enabled binfmt support, just the possibility to do so.
IMO, the majority of users aren't using AppArmor, and we shouldn't be creating security risks for them. I also think that users who are technically skilled enough to create multiple AppArmor profiles should also be capable of following instructions for enabling binfmt support themselves. The actual problem for this user (who started on the forum, btw) is that I have been unable to find step-by-step instructions for Ubuntu. (There are instructions on the Arch wiki, but the user reported they didn't work on Ubuntu.)
My preferred resolution to bug 39884 would be WONTFIX with an explanation of why, but it would be nice if someone could come up with step-by-step instructions for enabling binfmt support for Wine on Ubuntu that we could link to or add to our Ubuntu wiki page (with a warning about the risks).
On Mon, Aug 22, 2016 at 11:57 AM, Rosanne DiMesio dimesio@earthlink.net wrote:
On Mon, 22 Aug 2016 15:28:39 +0200 Jens Reyer jre.winesim@gmail.com wrote:
What are the security implications? Won't this make it easier for malware to execute without being Wine-aware, or am I just being paranoid?
We don't enable binfmt in Debian for exactly this reason (see https://bugs.debian.org/819255). So I'd also be interested in other opinions.
Hi, I don't understand the security implications yet. If I download a malware and run it like ./malware.exe or wine malware.exe what is the difference? Also in a file manager double clicking exe run wine correctly, why isn't this a security problem? What is a real example of a malware that benefits from this?
IMO, the majority of users aren't using AppArmor, and we shouldn't be creating security risks for them. I also think that users who are technically skilled enough to create multiple AppArmor profiles should also be capable of following instructions for enabling binfmt support themselves. The actual problem for this user (who started on the forum, btw) is that I have been unable to find step-by-step instructions for Ubuntu. (There are instructions on the Arch wiki, but the user reported they didn't work on Ubuntu.)
My preferred resolution to bug 39884 would be WONTFIX with an explanation of why, but it would be nice if someone could come up with step-by-step instructions for enabling binfmt support for Wine on Ubuntu that we could link to or add to our Ubuntu wiki page (with a warning about the risks).
Fine by me, I just fail to understand the security risks.
On 22.08.2016 17:52, Bruno Jesus wrote:
On Mon, Aug 22, 2016 at 11:57 AM, Rosanne DiMesio dimesio@earthlink.net wrote:
On Mon, 22 Aug 2016 15:28:39 +0200 Jens Reyer jre.winesim@gmail.com wrote:
What are the security implications? Won't this make it easier for malware to execute without being Wine-aware, or am I just being paranoid?
We don't enable binfmt in Debian for exactly this reason (see https://bugs.debian.org/819255). So I'd also be interested in other opinions.
Hi, I don't understand the security implications yet. If I download a malware and run it like ./malware.exe or wine malware.exe what is the difference?
Whether you can accidentally do it manually? And if something else is able to start the exe?
Also in a file manager double clicking exe run wine correctly, why isn't this a security problem?
AFAIK for this you also need the desktop files (which afaik are packaged by winehq). I think desktop files need to be considered at the same time as binfmt support for their security implications.
What is a real example of a malware that benefits from this?
Having that would indeed help, I'm not really sure about this myself.
Greets jre
On Mon, Aug 22, 2016 at 1:08 PM, Jens Reyer jre.winesim@gmail.com wrote:
On 22.08.2016 17:52, Bruno Jesus wrote:
On Mon, Aug 22, 2016 at 11:57 AM, Rosanne DiMesio dimesio@earthlink.net wrote:
On Mon, 22 Aug 2016 15:28:39 +0200 Jens Reyer jre.winesim@gmail.com wrote:
What are the security implications? Won't this make it easier for malware to execute without being Wine-aware, or am I just being paranoid?
We don't enable binfmt in Debian for exactly this reason (see https://bugs.debian.org/819255). So I'd also be interested in other opinions.
Hi, I don't understand the security implications yet. If I download a malware and run it like ./malware.exe or wine malware.exe what is the difference?
Whether you can accidentally do it manually? And if something else is able to start the exe?
Sorry, I really still don't understand what is the problem. You mean I can accidentally type and run ./malware.exe for example using tab key completion? That is the problem?
What is a real example of a malware that benefits from this?
Having that would indeed help, I'm not really sure about this myself.
I'm not asking for a real case virus name that would do it =) I'm asking more like a general idea of what is the problem. If malware.exe is already running it does not need binfmt support to run another exe programs. If a linux sh has a hidden malware.exe I'm pretty sure the hackers behind it will be smart enough to find the correct way (./malware or wine malware) to run it.
On 22.08.2016 18:18, Bruno Jesus wrote:
On Mon, Aug 22, 2016 at 1:08 PM, Jens Reyer jre.winesim@gmail.com wrote:
On 22.08.2016 17:52, Bruno Jesus wrote:
On Mon, Aug 22, 2016 at 11:57 AM, Rosanne DiMesio dimesio@earthlink.net wrote:
On Mon, 22 Aug 2016 15:28:39 +0200 Jens Reyer jre.winesim@gmail.com wrote:
What are the security implications? Won't this make it easier for malware to execute without being Wine-aware, or am I just being paranoid?
We don't enable binfmt in Debian for exactly this reason (see https://bugs.debian.org/819255). So I'd also be interested in other opinions.
Hi, I don't understand the security implications yet. If I download a malware and run it like ./malware.exe or wine malware.exe what is the difference?
Whether you can accidentally do it manually? And if something else is able to start the exe?
Sorry, I really still don't understand what is the problem. You mean I can accidentally type and run ./malware.exe for example using tab key completion? That is the problem?
First off, I can't say for sure, still making up my mind on this.
But yes, either that, or Rosanne's USB thumb drive example, or email attachments.
When I last discussed this with someone it was suggested to add some code to Wine which checks if an exe was run before. If it runs the first time you might prompt the user to confirm (so something like the infamous Windows warning about unkown applications, which usually just gets clicked away).
Greets jre
On Mon, 22 Aug 2016 18:36:46 +0200 Jens Reyer jre.winesim@gmail.com wrote:
When I last discussed this with someone it was suggested to add some code to Wine which checks if an exe was run before. If it runs the first time you might prompt the user to confirm (so something like the infamous Windows warning about unkown applications, which usually just gets clicked away).
I think that would be extremely annoying to just about everybody.
On 08/22/2016 06:36 PM, Jens Reyer wrote:
On 22.08.2016 18:18, Bruno Jesus wrote:
On Mon, Aug 22, 2016 at 1:08 PM, Jens Reyer jre.winesim@gmail.com wrote:
On 22.08.2016 17:52, Bruno Jesus wrote:
On Mon, Aug 22, 2016 at 11:57 AM, Rosanne DiMesio dimesio@earthlink.net wrote:
On Mon, 22 Aug 2016 15:28:39 +0200 Jens Reyer jre.winesim@gmail.com wrote:
> > What are the security implications? Won't this make it easier for malware to execute without being Wine-aware, or am I just being paranoid?
We don't enable binfmt in Debian for exactly this reason (see https://bugs.debian.org/819255). So I'd also be interested in other opinions.
Hi, I don't understand the security implications yet. If I download a malware and run it like ./malware.exe or wine malware.exe what is the difference?
Whether you can accidentally do it manually? And if something else is able to start the exe?
Sorry, I really still don't understand what is the problem. You mean I can accidentally type and run ./malware.exe for example using tab key completion? That is the problem?
First off, I can't say for sure, still making up my mind on this.
But yes, either that, or Rosanne's USB thumb drive example, or email attachments.
When I last discussed this with someone it was suggested to add some code to Wine which checks if an exe was run before. If it runs the first time you might prompt the user to confirm (so something like the infamous Windows warning about unkown applications, which usually just gets clicked away).
How is a Windows .exe different from an ELF binary in this regard? Isn’t asking for confirmation the job of the e-mail client / file manager?
I am positive that binfmt poses no real security concern. It would simply make Windows binaries interchangeable with Linux binaries, and all of the security protections that currently apply to Linux binaries would apply equally to Windows binaries. Some versions of Windows happily executed binaries from USB drives or from the Internet without asking, but that does not happen on Linux. In fact, it's easy to forget that you have to explicitly give execution permissions to a downloaded file before Linux will let you execute it. If the file is on a USB drive, unless the drive has a Linux filesystem, the binary must be moved off of the drive before it can receive execution permissions.
I think the real problem here is a technical one: The loader would have to launch Wine, Mono, or DOSBox depending on the contents of the binary.
-Alex
On Mon, Aug 22, 2016 at 11:26 PM, Alex Henrie alexhenrie24@gmail.com wrote:
I think the real problem here is a technical one: The loader would have to launch Wine, Mono, or DOSBox depending on the contents of the binary.
This is the part I also don't understand. When I run wine ancient_dos.exe, or wine wine32.exe or wine dot_net_app.exe wine seems to figure out what is supposed to be launched. Why would it be different with binfmt? It will call wine and wine will sort it out, no?
2016-08-22 20:50 GMT-06:00 Bruno Jesus 00cpxxx@gmail.com:
On Mon, Aug 22, 2016 at 11:26 PM, Alex Henrie alexhenrie24@gmail.com wrote:
I think the real problem here is a technical one: The loader would have to launch Wine, Mono, or DOSBox depending on the contents of the binary.
This is the part I also don't understand. When I run wine ancient_dos.exe, or wine wine32.exe or wine dot_net_app.exe wine seems to figure out what is supposed to be launched. Why would it be different with binfmt? It will call wine and wine will sort it out, no?
I haven't actually tried it. If you say it works, I believe you, and that problem is already solved.
-Alex
On Mon, Aug 22, 2016 at 11:50:15PM -0300, Bruno Jesus wrote:
On Mon, Aug 22, 2016 at 11:26 PM, Alex Henrie alexhenrie24@gmail.com wrote:
I think the real problem here is a technical one: The loader would have to launch Wine, Mono, or DOSBox depending on the contents of the binary.
This is the part I also don't understand. When I run wine ancient_dos.exe, or wine wine32.exe or wine dot_net_app.exe wine seems to figure out what is supposed to be launched. Why would it be different with binfmt? It will call wine and wine will sort it out, no?
I doubt it will launch the Linux Mono though, but try the Wine Mono stack.
Ciao, Marcus
On 23.08.2016 09:21, Marcus Meissner wrote:
On Mon, Aug 22, 2016 at 11:50:15PM -0300, Bruno Jesus wrote:
On Mon, Aug 22, 2016 at 11:26 PM, Alex Henrie alexhenrie24@gmail.com wrote:
I think the real problem here is a technical one: The loader would have to launch Wine, Mono, or DOSBox depending on the contents of the binary.
This is the part I also don't understand. When I run wine ancient_dos.exe, or wine wine32.exe or wine dot_net_app.exe wine seems to figure out what is supposed to be launched. Why would it be different with binfmt? It will call wine and wine will sort it out, no?
I can confirm that binfmt support for Wine with DOSBox works. I successfully tested it with the 16-bit DOS app Daggerfall:
$ file INSTALL.EXE INSTALL.EXE: MS-DOS executable, LE executable for MS-DOS, CauseWay DOS extender
"./INSTALL.EXE" works with Wine and DOSBox installed (Note: Unfortunately the changes to make DOSBox work with Wine still didn't make it to an official DOSBox release, yet. But e.g. in Debian they are already applied.)
If DOSBox isn't installed you get an understandable error message.
I doubt it will launch the Linux Mono though, but try the Wine Mono stack.
I don't know the implications for Wine, but the native "mono-runtime" package in Debian installs binfmt support for the same magic "MZ":
# sudo update-binfmts --display [...] cli (enabled): package = mono-runtime type = magic offset = 0 magic = MZ mask = interpreter = /usr/bin/cli detector = /usr/lib/cli/binfmt-detector-cli [...] wine (enabled): package = wine type = magic offset = 0 magic = MZ mask = interpreter = /usr/bin/wine detector = [...]
At least for the non-.NET applications that I tested this didn't cause any trouble - they were correctly started with Wine.
I don't know any .Net applications, so no tests here.
Greets jre
On Mon, 22 Aug 2016 12:52:06 -0300 Bruno Jesus 00cpxxx@gmail.com wrote:
Hi, I don't understand the security implications yet. If I download a malware and run it like ./malware.exe or wine malware.exe what is the difference? Also in a file manager double clicking exe run wine correctly, why isn't this a security problem? What is a real example of a malware that benefits from this?
I was mostly thinking of malware that gets secretly downloaded by visiting a contaminated web page and then executes without the user ever seeing it. I also recall a few years ago getting malware from the school network on one of my flash drives. It installed an .exe file that was hidden in Windows, but which executed itself whenever I plugged the drive into a Windows computer. It couldn't do that on my Linux computer.
On 22.08.2016 16:57, Rosanne DiMesio wrote:
On Mon, 22 Aug 2016 15:28:39 +0200 Jens Reyer jre.winesim@gmail.com wrote:
What are the security implications? Won't this make it easier for malware to execute without being Wine-aware, or am I just being paranoid?
We don't enable binfmt in Debian for exactly this reason (see https://bugs.debian.org/819255). So I'd also be interested in other opinions.
It's good to know I'm not just imagining things. :-)
E.g. above mentioned bug already states: "[binfmt] is also helpful for security because it allows each Windows program to be run with different AppArmor profile." However this doesn't require automatically enabled binfmt support, just the possibility to do so.
IMO, the majority of users aren't using AppArmor, and we shouldn't be creating security risks for them. I also think that users who are technically skilled enough to create multiple AppArmor profiles should also be capable of following instructions for enabling binfmt support themselves. The actual problem for this user (who started on the forum, btw) is that I have been unable to find step-by-step instructions for Ubuntu. (There are instructions on the Arch wiki, but the user reported they didn't work on Ubuntu.)
My preferred resolution to bug 39884 would be WONTFIX with an explanation of why, but it would be nice if someone could come up with step-by-step instructions for enabling binfmt support for Wine on Ubuntu that we could link to or add to our Ubuntu wiki page (with a warning about the risks).
Assuming you have /usr/bin/wine (the winehq- packages):
First install a file /usr/share/binfmts/wine: ~~~~~ package wine interpreter /usr/bin/wine magic MZ ~~~~~
Then execute: $ sudo update-binfmts --import wine
Winehq might
* add this file to the Winehq packaging, but install it to another place and use "--importdir /path/to/file" in the instructions (I suggest to *not* change the interpreter (e.g. to /opt/wine-devel/bin/wine), to avoid any conflicts with other wine package which might activate binfmt support), or
* also create a package wine-binfmt as we have in Debian, or
* just recommend to install our "wine-binfmt".
Note 1: I'll bring that up in another mail, but we might make the winehq-* packages co-installable with the Debian packages, because Debian now uses the Debian "alternatives" system, which allows the user to choose which package is to provide the commands in /usr/bin/ by making them automatically handled symlinks pointing to the binaries from the chosen package. A file in /usr/share/binfmts/wine would then unnecessarily create a conflict between the Winehq and Debian packages again.
Note 2: Ubuntu is probably moving to the Debian packages.
This is what we have in the README.debian: ~~~~~ [...] To configure backend support for that, you'll need to install the wine-binfmt package first and then execute: $ sudo update-binfmts --import wine
This change increases the risk of inadvertently launching Windows malware, so please make sure that you understand the security risks before blindly setting this up.
To remove the support again execute: $ sudo update-binfmts --package wine --remove wine /usr/bin/wine ~~~~~
Greets jre
-
Alex Henrie -
Bruno Jesus -
Jens Reyer -
Marcus Meissner -
pelzflorian (Florian Pelz) -
Rosanne DiMesio