FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux Development

 
 
LinkBack Thread Tools
 
Old 08-28-2008, 03:05 PM
Eduardo Romero
 
Default Wine association, waht should we do?

Some users expressed concern in the capabilities of the Wine package to
run .exe or autorun files by default, and sometimes this without asking
permission from the user. This can be stopped, the solution can be
taking this line:
MimeType=application/x-ms-dos-executable;application/x-msdos-program;application/x-msdownload;
out of the wine.desktop file.

And adding a message telling the user that in order to enable file
association with wine the have to issue the following command as root:
echo
"MimeType=application/x-ms-dos-executable;application/x-msdos-program;application/x-msdownload;" >> /usr/share/applications/wine.desktop

Thanks goes to trivialstuff for looking into this, I didn't had the time
to.

The discussion has been going on here:
http://bbs.archlinux.org/viewtopic.php?id=54162

I will appreciate your suggestions guys.

Thanks

Eduardo "kensai" Romero
 
Old 08-28-2008, 03:19 PM
"Ronald van Haren"
 
Default Wine association, waht should we do?

On Thu, Aug 28, 2008 at 5:05 PM, Eduardo Romero <k3nsai@gmail.com> wrote:
> Some users expressed concern in the capabilities of the Wine package to
> run .exe or autorun files by default, and sometimes this without asking
> permission from the user. This can be stopped, the solution can be
> taking this line:
> MimeType=application/x-ms-dos-executable;application/x-msdos-program;application/x-msdownload;
> out of the wine.desktop file.
>
> And adding a message telling the user that in order to enable file
> association with wine the have to issue the following command as root:
> echo
> "MimeType=application/x-ms-dos-executable;application/x-msdos-program;application/x-msdownload;" >> /usr/share/applications/wine.desktop
>
> Thanks goes to trivialstuff for looking into this, I didn't had the time
> to.
>
> The discussion has been going on here:
> http://bbs.archlinux.org/viewtopic.php?id=54162
>
> I will appreciate your suggestions guys.
>
> Thanks
>
> Eduardo "kensai" Romero
>
>

umm as I understand a user still has to click the file for it to be
executed via wine? I don't see any problem there. If someone is
affraid to click a .exe file, then either they should remove the file
association on their local machine or remove wine altogether (btw I
seriously doubt that any virus will do harm when executed via wine
(or has it become that good?)).
I suggest to keep it as is (as was intended upstream), maybe adding a
message saying what to do to disable the file association.

Ronald
 
Old 08-28-2008, 03:25 PM
Thomas Bächler
 
Default Wine association, waht should we do?

Ronald van Haren schrieb:

The discussion has been going on here:
http://bbs.archlinux.org/viewtopic.php?id=54162

I will appreciate your suggestions guys.

Thanks

Eduardo "kensai" Romero




umm as I understand a user still has to click the file for it to be
executed via wine? I don't see any problem there. If someone is
affraid to click a .exe file, then either they should remove the file
association on their local machine or remove wine altogether (btw I
seriously doubt that any virus will do harm when executed via wine
(or has it become that good?)).
I suggest to keep it as is (as was intended upstream), maybe adding a
message saying what to do to disable the file association.

Ronald



Agreed. And someone should probably point the paranoid poster to
pacman's NoUpgrade option, so the .desktop file stays the way he wants
it even after updates.
 
Old 08-28-2008, 03:59 PM
Eduardo Romero
 
Default Wine association, waht should we do?

On Thu, 2008-08-28 at 17:19 +0200, Ronald van Haren wrote:
>
> umm as I understand a user still has to click the file for it to be
> executed via wine? I don't see any problem there. If someone is
> affraid to click a .exe file, then either they should remove the file
> association on their local machine or remove wine altogether (btw I
> seriously doubt that any virus will do harm when executed via wine
> (or has it become that good?)).
> I suggest to keep it as is (as was intended upstream), maybe adding a
> message saying what to do to disable the file association.
>
> Ronald
It does run viruses, this has been tested before, they don't do much
harm though. And, autorun files are the thread since they don't require
a click. And yes you are right, it was intended to be that way upstream.
 
Old 08-28-2008, 04:21 PM
"Ronald van Haren"
 
Default Wine association, waht should we do?

On Thu, Aug 28, 2008 at 5:59 PM, Eduardo Romero <k3nsai@gmail.com> wrote:
> It does run viruses, this has been tested before, they don't do much
> harm though.
so that is a non-issue if it does no harm.


> And, autorun files are the thread since they don't require
> a click. And yes you are right, it was intended to be that way upstream.
>
this should depend on how you configured your wm/de. I've never seen
any cd autorun by default on my desktop.
As I see it, most WMs don't autorun cds by default.
KDE can autorun cds, but by default it asks if it should autorun the cd, IIRC.
Of course some others may autorun cds by default, I have no idea, but
even in that case, it is the users responsibility what he sticks in
his cd drive. If he legally buys his cds there should be no virus on
it. Sure you can get a virus on a usb stick or so, but much depends
what you do with these devices.

Ronald
 
Old 08-28-2008, 05:01 PM
"Jeff Mickey"
 
Default Wine association, waht should we do?

Whoa.

I just want to make my opinion known that in NO WAY should we be
modifying packages so that if users turn on an AutoRun the package
doesn't run. You turn on some kind of AutoRun feature, you deal with
the consequences. Not to mention the OP in the bbs thread linked has
a use case that isn't normal for wine. Not normal in the "I don't
want wine to run .exe' even though I just clicked on them" kinda way.

I'm amazed this is even a discussion.

// jeff
--
. : [ + carpe diem totus tuus + ] : .
 
Old 08-28-2008, 06:32 PM
Eduardo Romero
 
Default Wine association, waht should we do?

On Thu, 2008-08-28 at 13:01 -0400, Jeff Mickey wrote:
> I'm amazed this is even a discussion.
>
> // jeff
I'm not, it is a matter of opinions, so don't be amazed.

Thanks all the others for the suggestions that helped. It will be known
how to disable it, but we won't disable it. I just wanted to know if
anyone else thought it was a security thread to have it that way. As I
mentioned before, I didn't had much time to investigate this matter,
that is why discussion was started.

Case closed, won't fix, since it behaves as the package should behave.

Thanks

Eduardo "kensai" Romero
 
Old 08-28-2008, 11:06 PM
"James Rayner"
 
Default Wine association, waht should we do?

On 8/29/08, Jeff Mickey <jeff@archlinux.org> wrote:
> Whoa.
>
> I just want to make my opinion known that in NO WAY should we be
> modifying packages so that if users turn on an AutoRun the package
> doesn't run. You turn on some kind of AutoRun feature, you deal with
> the consequences. Not to mention the OP in the bbs thread linked has
> a use case that isn't normal for wine. Not normal in the "I don't
> want wine to run .exe' even though I just clicked on them" kinda way.

And just to clarify something...
1) KDE (not wine), just _alerted_ that there was an autorun available.
So it's a KDE feature, not wine.
2) It only alerted that there's an autorun available (presumably
checking for autorun.inf) but did not run it. You had to click OK to
execute the autorun
3) It makes sense for wine to be bound to exe's. Exe's should be
treated no different to any file type, as any file could possibly
contain a danger. Don't click an exe you dont trust, like you wouldnt
click a shell script or binary or any other file you don't trust the
source.

So just to get things straight, no executable/autoruns are run without
asking the user first. There's no real "consequences" to speak of,
unless you're silly enough to click OK for a disc you don't trust.

And hey, it was kinda convenient.
 
Old 08-28-2008, 11:45 PM
Eduardo Romero
 
Default Wine association, waht should we do?

On Fri, 2008-08-29 at 09:06 +1000, James Rayner wrote:
> And just to clarify something...
> 1) KDE (not wine), just _alerted_ that there was an autorun available.
> So it's a KDE feature, not wine.
> 2) It only alerted that there's an autorun available (presumably
> checking for autorun.inf) but did not run it. You had to click OK to
> execute the autorun
> 3) It makes sense for wine to be bound to exe's. Exe's should be
> treated no different to any file type, as any file could possibly
> contain a danger. Don't click an exe you dont trust, like you wouldnt
> click a shell script or binary or any other file you don't trust the
> source.
>
> So just to get things straight, no executable/autoruns are run without
> asking the user first. There's no real "consequences" to speak of,
> unless you're silly enough to click OK for a disc you don't trust.
>
> And hey, it was kinda convenient.

Yeah, I kind of got that all, as I said for the 20th time, since I
didn't had much time to research on the situation I brought it up here
to see if developers thought it was a security thread. But we all know
by now that it is not. Thanks for your message anyways.
 
Old 08-29-2008, 12:10 AM
"Aaron Griffin"
 
Default Wine association, waht should we do?

On Thu, Aug 28, 2008 at 6:45 PM, Eduardo Romero <k3nsai@gmail.com> wrote:
> On Fri, 2008-08-29 at 09:06 +1000, James Rayner wrote:
>> And just to clarify something...
>> 1) KDE (not wine), just _alerted_ that there was an autorun available.
>> So it's a KDE feature, not wine.
>> 2) It only alerted that there's an autorun available (presumably
>> checking for autorun.inf) but did not run it. You had to click OK to
>> execute the autorun
>> 3) It makes sense for wine to be bound to exe's. Exe's should be
>> treated no different to any file type, as any file could possibly
>> contain a danger. Don't click an exe you dont trust, like you wouldnt
>> click a shell script or binary or any other file you don't trust the
>> source.
>>
>> So just to get things straight, no executable/autoruns are run without
>> asking the user first. There's no real "consequences" to speak of,
>> unless you're silly enough to click OK for a disc you don't trust.
>>
>> And hey, it was kinda convenient.
>
> Yeah, I kind of got that all, as I said for the 20th time, since I
> didn't had much time to research on the situation I brought it up here
> to see if developers thought it was a security thread. But we all know
> by now that it is not. Thanks for your message anyways.

If anyone asks, tell them the real threat is PEBKAC!
 

Thread Tools




All times are GMT. The time now is 02:35 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org