[Solved] wine: restricting execution to specific user/group safe?

From what I understand, the way of exploiting a bug in a browser and launching malware in the background won't work with wine as the malware injector calls "some.exe", not "wine some.exe". So using wine is safe unless the person is "dumb" enough to execute a windows executable from an untrusted source, right?
I have the following situation: there are two users, one should be able to execute windows programs, the other one (who recently got mislead by a "you need to update flash player" malware link -_-) should be unable to.
What I thought I'd do was to create a group, let's say, called "wine" and change the permissions on the wine executable(s) so that only users of this group get the executable right. Then add users to this group.
Is this safe? Is changing permissions on wine/wine64 enough, or should I also modify them for wine(64)-preloader? Or is there maybe a better way to do that?
edit: also, will the permissions be reset when pacman updates wine?
Last edited by Soukyuu (2014-05-28 15:20:23)

Ideally, I'd want the user to be able to only execute whitelisted wine programs, but from what I know it's not possible. It's mainly to guard against accidental execution of mal/adware, which happened a few times while this computer was running windows. My parents lack the technical knowledge to try and circumvent those measures, nor do they have a reason. This means they are only using the GUI and call me if something doesn't work. Would using an alias guard against double-clicking on a windows binary?
The reason I have wine at all is that I still need some windows programs on that PC, and the reason I switched to linux was to free up resources used up by the antivirus. So theoretically I could just launch the programs I need in a VM, but that would just negate any resource gains I got by installing linux...

Similar Messages

  • Restricting  Access for SQ01 User Group

    Hi ,
    Please let me how to Restrict  Access for a   User Group  to only some of  the specific users?
    Thank you
    Edited by: Vibhor Arora on Apr 12, 2010 7:29 AM

    Hi,
    Can you please clarify what exactly you want to know, your request can be interpreted in a few different ways.
    If you are concerned that people have access to all user groups, then you need to remove access to S_QUERY activity 02 and I think activity 23.  They will lose access to all user groups that they are not assigned to via SQ03.

  • How to apply Software Restriction policy for specific user in local group policy object ?

    I am working on implementing user based software restriction policy programmatically for local group policy object.
    If i create a policy through Domain Controller,i do have option for software restriction policy in user configuration but in local group policy editor i don't have option for that.
    When i look for the changes made by policy applied from Domain Controller in registry, they modifies registry values for specific users on path HKEY_USERS\(SID of User)\Softwares\Policies\Microsoft\Windows\Safer\Codeidentifiers
    They also have registry.pol stored in SYSvol folder in Domain Controller. When i make the same changes in registry to block any other application, application is getting blocked.
    I achieved what i wanted but is it right to modify registry values ?  
    PS:- I am using Igrouppolicyobject API

    I achieved what I wanted but is it right to modify registry values ?
    You also can modify a registry programmatically based policy. Check this:
    http://blogs.msdn.com/b/dsadsi/archive/2009/07/23/working-with-group-policy-objects-programmatically-simple-c-example-illustrating-how-to-modify-a-registry-based-policy.aspx
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Restrict metadata field during an update to a specific user group

    Hello everyone,
    I am having some trouble figuring out the best way to restrict permissions to change some metadata fields for 2 different groups of users.
    I have two user groups, A and B. Group A will be checking in documents that the B group will then review for accuracy and quality. Group B will then update an optionlist field called "Status" with either "Recommended" or "Not Recommended".
    This is not a workflow situation as the scope requires that all documents are immediately available for searching. I currently have a CheckIn and Search profile for the content permitting read write access to groups A and B. The "Status" field is hidden on the CheckIn page. Can anyone please suggest a good way to restrict the field "Status" on an Update page to just "B" users? Groups A and B should be able to update all fields with the exception of the B restricted "Status" field.
    Thanks!
    Edited by: user6750815 on Jun 2, 2010 4:11 PM

    Hey rMac,
    I understand it this way you have one profile for A and B user groups. On this profile Status field is hidden.
    If this is your problem you can approach it from two places, while making the rule for hiding the Status field, use rule activation condition. Make it active only for users with Role A . This way even with single profile some of the user with Role B will be able to see the Status field.
    otherwise you can put similar code in Restrict Personalization Link where in you make this hidden field editable and compulsory for Users in B.
    cheers,
    sapan

  • How can I give administration permissions to a specific user+group on wiki?

    How do I give administration capabilities to a specific user for only ONE specific group on my wiki server, not all of them.
    Anyone know the simplest way to do this?

    Really all I'm looking to do is to keep my web site exactly the same but limit the reading and writing capabilities of some users on specific groups/wiki pages/blogs but still allow them to read and write to other specific ones that somehow I would designate.
    For example: I'm setting up a group for multiple users (about 15), and they each have their own page within that group, however i want to give them very limited administration capabilities on the site, all I want them to be able to do is to edit their own page, NOTHING else in the group
    there's gotta be a way to do this without 3rd party software installation that seems complicated enough on it's own, isn't administration capabilities a fundamental part of wikis?
    Someone has to have gone through something similar, any help?

  • How to create user in specific user group in Microsoft Active Directory ?

    Hi,
    I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
    it get added to Domain Users group.
    Following is the code I am using which adds user to default group Domain Users.
    public LDAPResult createUserID(
    String userId,
    String pwd,
    String pId,
    boolean resetonLogOn,
    LDAPConnection ldCon) {
    boolean flag = false;
    int code=0;
    try {
    String pwdLastSetVal;
    String desName;
    String desc;
    /* Specify the DN of the new entry. */
    String dn =
    "CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
    /* Create and add attributes to the attribute set. */
    String objectclass_values[] =
    { "top", "person", "organizationalPerson", "user" };
    // LDAPEntry findEntry=null;
    /* Create a new attribute set for the entry. */
    LDAPAttributeSet attrs = new LDAPAttributeSet();
    /* Attribute sAMAccountName */
    LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
    attrs.add(attr);
    /* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
    attr =
    new LDAPAttribute(
    LDAP_PASSWORD_KEY,
    (byte[]) this.encodePassword(pwd));
    attrs.add(attr);
    /* Attribute Display Name */
    desName = userId + ":" + pId;
    //desName = userId ;
    attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
    attrs.add(attr);
    /** Attribute userAccountControl to enable the userid.
    attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
    attrs.add(attr);
    /* Attribute pwdLastSet to reset the password on first logon*/
    if (resetonLogOn == true) {
    pwdLastSetVal = "0";
    } else {
    pwdLastSetVal = "-1";
    attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
    attrs.add(attr);
    /* Attribute Description */
    desc = " Account Created by HelpNow App";
    attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
    attrs.add(attr);
    /* Attribute objectclass */
    attr = new LDAPAttribute("objectclass", objectclass_values);
    attrs.add(attr);
    /* Create an entry with this DN and these attributes . */
    LDAPEntry myEntry = new LDAPEntry(dn, attrs);
    /* Add the entry to the directory. */
    ldCon.add(myEntry);
    flag = true;
    }catch (LDAPException e) {
    flag = false;
    code=e.getLDAPResultCode();
    }catch (Exception e) {
    flag = false;
    code=LDAPException.OTHER;
    }finally {
    ldaprs.flag=flag;
    ldaprs.code=code;
    return ldaprs;
    }

    Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150

  • Denying AAA Clients to a specific user group in ACS v4.1

    Using 4.1 is there a "simple" method of simply denying a usergroup the ability to even login to specific AAA clients? Customer has a telephony group that they want to allow them to telnet and check into all the voice routers, but no other routers, they have the command sets and all that setup but wanted to see if a way to push that group simply to voice routers only ??
    thanks in advance,
    dave

    Hi,
    Why don't you use NAR (Network access restriction)
    Under the network config > simply create one NDG and assign all the voice router under it.
    After that go to the group/user where you want to put this restriction
    You need to check that what are we getting in calling station id. If we are getting ip address then
    [1] To accomplish above we would configure the group with following
    NAR (network access restriction)
    Define IP based Network Access Restriction
    Permitted Calling Point
    AAA client: VOICE NDG created
    Port *
    Src IP Address *
    Subit the changes and try.
    Here is more on configuring Network Access Restriction:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
    2/user/guide/GrpMgt.html#wp478900
    HTH
    JK
    Plz rate helpful posts-

  • Sharing a folder with specific users/group

    I am trying to make 3 different shared folders for 3 different groups on Windows server 2008 R2. I have tried creating 3 folders in C:\, and then share it with the specific groups. The problem I have is that even though I have only given read and write permissions
    to the specific group members, the other group members(from the 2 other groups) can still read and write in that folder. Which is not supposed to happen. What am I doing wrong and how can I fix this?
    PS: I am quite new to this...

    Hi,
    As all accessing occurs locally, actually Share permission is not involved.
    I assume the purpose is to create a folder which can only be accessed by several members in all 7 users.
    Please noticed that, if all users are local admin (in local Administrators group), this will not work as local admin can always take ownership of a folder for gain accessing rights.
    If you (and other members in that group) are the only local admins on this computer, set NTFS permission will work. 
    Again if one of the excluded members has local admin permission, he/she can take ownership to gain accessing rights. 2 workarounds are "set password with a third party application" and "create a new volumn for saving those files, and enable
    BitLocker encryption on that volume with a password". 
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Recycle bin to show all deleted items on the site collection for specific user group

    hi there, is there any way where a certain sharepoint group (i.e. site collection members) to view and restore deleted items on theentire collection, without giving them site collection rights orgive them more rights than necessary? we wanted to create
    aSP group that has the permission to restore deleted items and give them to selected users so that our users won't have to contact us when they want to restore a deleted item

    I don't believe you can. If an item get's deleted it should go to the first recycle bin @ /_layouts/15/RecycleBin.aspx
    The Recycle Bin gives a site collection administrator
    greater control when users delete files, versions of files, list items, libraries, lists, and folders from a SharePoint site by providing a second stage safety net before an item is permanently deleted from a site. When a user deletes an item from the Recycle
    Bin, the item is sent to a second stage Recycle Bin (also known as the Site Collection Recycle Bin) that the site collection administrator manages. This article focuses on how a site collection administrator can manage the Recycle Bin for a site collection.
    https://support.office.com/en-US/Article/Manage-the-Recycle-Bin-of-a-SharePoint-site-collection-5fa924ee-16d7-487b-9a0a-021b9062d14b
    Ibrahim Sukari, Technical Consultant | SharePoint | Dynamics CRM |
    LinkedIn Profile

  • Send mail to a specific user group when an Inbound Idoc processing fails

    I am using standard Message type DEBMAS, but the process code is customed (say ZDEBM as the function module is customed). Can you tell me what configurations are required to activate the error notification message to a user when the inbound idoc fails?

    hi,
    i think u need to check tcode swu3 for automatic workflow customizing and check in we40 (error AND STATUS PROCESSING) whether the processing code is assigned to the workflow task.
    if it is assigned,the workflow will be automatically triggered and the mail will be sent to the user by itself.
    ALE error handling uses workflow. A standard task is provided for each message type. Task TS20000051 is used for all BAPIs.
    Workflow functions as follows:
    A task (work item) is generated for the error handling and stored as a message in the inboxes of the employees responsible.
    If one of these employees processes the work item, the standard task method for error handling is started. The user can, for example, restart IDoc processing.
    If the IDoc is processed successfully, the work item is deleted from the inboxes of all the employees involved.
    For this procedure to function, the employees responsible for a particular message type and partner (sender or receiver) must be defined as follows:
    1. A hierarchy of organizational units (for example, "sales office") and positions (for example, "customer officer for customer X") is created and employees are assigned to it.
    2. The standard tasks for error handling (for example, an error related to an inbound sales order) are assigned to the relevant organizational units or positions (for example, "sales office").
    3. The organizational unit, position or employee responsible for dealing with the error are specified for each partner and message type in the partner profiles.
    If an error occurs, the system determines:
    1. The employees responsible using the staffing schedule of the organizational unit or position linked to the standard task.
    2. The employees defined in the partner profiles (using position, user ID, or organizational unit).
    3. The employees appearing in both groups represent those who will receive a work item in their inboxes.
    regards,
    pankaj singh

  • [solved] systemd: Start process as specific user

    Hi,
    I plan to use bittorrent-sync, and want to run it for each user separately. So I would like to modify the service to run the process as the user instead of root. Like bittorrent-sync@user1… and so on.
    Is this possible?
    Thanks
    Last edited by silentsnake (2013-04-27 15:13:25)

    Thanks to you too, WonderWoofy.
    [Unit]
    Description=BitTorrent Sync service
    After=network.target
    [Service]
    ExecStart=/usr/bin/btsync --nodaemon --config /home/%i/.sync/btsync.conf
    Restart=on-abort
    User=%i
    Group=users
    [Install]
    WantedBy=multi-user.target
    This allows me to run one instance per user with its own configuration. Since it's a server with no users actively working on, I think this is the way to go. But will investigate the systemd user session for my desktop clients.

  • Restricting certain users groups to read only for certain folders

    Hi
    I'm not sure if this is the correct forum, but hey, hopefully someone might now the answer or direct me to the correct one.
    I'm writing a VB program to amend ACLs for specific user groups.
    Effectively, I make all prior year folders read only, whereas the default for the group is Modify, Delete etc.  This means they can continue to work in the "new year folders", but historic years is List/read only.
    I've got to the point the program does everything I want, i.e. stops folder creation7deletion, file & folder name changes, copying for the historic years, but does not prevent deletion of files in the folder.  Effectively I set Deny access on the
    historic folders.
    Testing using the Windows GUI would appear to resolve the problem is I change the Deny Special Permission (for the group) from "This folder only" to "This folder & files".
    Question then is how to I set this in VB, the default appearing to be "This folder only"
    Here's extract of my code
    Thanks
    IfvarDirectoryName.IndexOf("\"&
    Date.Now.Year) = -1
    Then
                FileAcl3.AddAccessRule(
    NewFileSystemAccessRule(GroupAdmin(0),
    FileSystemRights.Modify,
    AccessControlType.Deny))
                FileAcl3.AddAccessRule(
    NewFileSystemAccessRule(GroupAdmin(0),
    FileSystemRights.DeleteSubdirectoriesAndFiles,
    AccessControlType.Deny))
                FileAcl3.RemoveAccessRule(
    NewFileSystemAccessRule(GroupAdmin(0),
    FileSystemRights.ReadAndExecute,
    AccessControlType.Deny))
                FileAcl3.RemoveAccessRule(
    NewFileSystemAccessRule(GroupAdmin(0),
    FileSystemRights.ListDirectory,
    AccessControlType.Deny))
    Dim FileInfo3 As IO.FileInfo = New IO.FileInfo(varDirectoryName)
    Dim FileAcl3 As New FileSecurity
    If varDirectoryName.IndexOf("\" & Date.Now.Year) = -1 Then
    FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.Modify, AccessControlType.Deny))
    FileAcl3.AddAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.DeleteSubdirectoriesAndFiles, AccessControlType.Deny))
    FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ReadAndExecute, AccessControlType.Deny))
    FileAcl3.RemoveAccessRule(New FileSystemAccessRule(GroupAdmin(0), FileSystemRights.ListDirectory, AccessControlType.Deny))
    FileInfo3.SetAccessControl(FileAcl3)
    End If

    Ho Rohn
    Your right, when I added the flags I got the following error at execution
    {"No flags can be set. Parameter name: inheritanceFlags"}
    I've developed a work around, which gives me exactly - subject to further testing - what I want.  I simply mark each file in the relevant folders with a Deny Delete option.
    I will however explore the DirectorySecurity class option, but initial review of the www seems a little shy on VB examples.
    Thanks
    Perry
    You should be able to use FileSecurity and DirectorySecurity the same way (they have identical methods). Since this is a scripting forum, I'll provide a PowerShell example (which is fairly close to C# and VB; they all use the exact same classes):
    $varDirectoryName = "c:\folder"
    $GroupAdmin = "Admin Group"
    $FileInfo3 = New-Object System.IO.DirectoryInfo $varDirectoryName
    $FileAcl3 = $FileInfo3.GetAccessControl()
    $FileAcl3.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule (
    $GroupAdmin,
    [System.Security.AccessControl.FileSystemRights]::Modify,
    ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
    [System.Security.AccessControl.PropagationFlags]::None,
    [System.Security.AccessControl.AccessControlType]::Allow
    $FileInfo3.SetAccessControl($FileAcl3)
    I could have taken a lot of shortcuts when using the enumerations, but I think keeping it verbose helps show how similar the code can be.
    Does that make sense?

  • TMG2010 - Exhcange 2010 - Restrict User Groups

    Hey Guys, 
    We have TMG2010 currently reverse publishing OWA however no Pre-Auth is being used, the Exchange 2010 Auth Form is being used. 
    The TMG box is not Domain Joined, however if we joined it to the domain would we be able to use AD Security Groups to restrict access to certain services such as OWA?  Without enabling the "Pre-Auth" Functions of TMG? 
    Thanks, 
    Robert 
    Robert

    Hi,
    yes it is possible to restrict access to specific services like OWA/EAS/OA on the TMG Server for specific user/groups if the TMG Server is a member of the domain. You can also use pre-auth if the TMG Server is a member of a workgroup if you use LDAP
    on the TMG Server:
    TMG publishing:
    http://www.microsoft.com/en-us/download/details.aspx?id=8946
    TMG and LDAP:
    http://www.isaserver.org/articles-tutorials/configuration-general/Microsoft-Forefront-TMG-Using-LDAP-RADIUS-Authentication.html
    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3570

  • Select all users of specific APEX Group

    Hello,
    do you know how I can find all users assigned to specific User Group?
    I know there is User Groups Assignments page in APEX Administration panel, but it's very weak. It shows only 500 records, and there is no search option. I also can't find APEX group view in APEX DB.
    I can check all groups of any user, I don't believe I can't check all users of any group.
    Regards,
    Przemek

    Hi Martin,
    thanks a lot! I needed sth similar, but I couldn't have found right views. Thanks to you now I can:
    Select GROUP_NAME, USER_NAME, FIRST_NAME, LAST_NAME from WWV_FLOW_USERS u, WWV_FLOW_GROUP_USERS g where g.USER_ID=u.USER_ID and UPPER(GROUP_NAME) like '%some_name%' order by USER_NAME
    Regards,
    Przemek

  • Conditions based on user groups

    Hi,
    I am already using the authorization i dont want to make any changes.
    I want to restrict the column using user group.
    If my user group is admin or unique then display the item and if the user group helpdesk or test then dont display.
    I am using condition: PL/SQL Function Returning boolean
    declare
    begin
    return apex_util.current_user_in_group(p_group_name=>'admin');
    end;
    It is working fine for only admin group. If i need to display the column to either admin or uniqueuser group ,Then please could you advise the expression for that.
    Regards
    Harinder

    Hello Harinder,
    What about
    return apex_util.current_user_in_group(p_group_name=>'admin') or apex_util.current_user_in_group(p_group_name=>'yourOtherGroup');
    Greetings,
    Roel
    http://roelhartman.blogspot.com/
    You can reward this reply by marking it as either Helpful or Correct ;-)

Maybe you are looking for