Linux Wine jots
General
These are just a few jots on Wine. I guess this post will evolve over time.
I’m running Wine version 4.0 on Linux Mint 19, running on an x86_64.
First run
Every time Wine is run on a blank (or absent) directory given by WINEPREFIX, it installs a Windows environment. Which Windows version an several other attributes can be set with Wine Configuration:
$ WINEPREFIX=/path/to/winedir /opt/wine-stable/bin/winecfg
Note that Wine installs a 64-bit environment by default. Add WINEARCH=win32 after the WINEPREFIX setting on the first run of Wine for the relevant directory to install a 32-bit environment instead, which is recommended for its better support unless 64-bit applications are going to be used. No need for WINEARCH afterwards.
It often suggests to install Wine Mono and Wine Gecko. I usually tend to agree.
This installation downloads three files into .cache/wine/: wine_gecko-2.47-x86_64.msi, wine_gecko-2.47-x86.msi and wine-mono-4.7.5.msi. This is why Wine doesn’t ask for permission to install these when setting up new Windows environments after the first time.
Install and use Winetricks
It’s a good idea in general, and it allows installation of Microsoft runtime environment easily:
# apt install winetricks # apt install wine32-development
And now to install Virtual Studio 6 runtime environment, for example (solving some error message on not being able to import isskin.dll or isskinu.dll)
$ WINEPREFIX=/path/to/winedir winetricks vcrun6sp6
For a list of all packages available, go
$ WINEPREFIX=/path/to/winedir winetricks list-all | less
Prevent browser popup
Wine has this thing that it opens a browser when so requested by the Windows application. That can be annoying at times, and get the program stuck when run inside a firejail. To prevent this altogether, just delete two files:
- drive_c/windows/syswow64/winebrowser.exe
- drive_c/windows/system32/winebrowser.exe
but that didn’t work with Picasa, because it opened the browser through its own xdg-open located at /opt/picasa/bin/xdg-utils-1.0.2/scripts/xdg-open. So I replaced it with the following lame script
#!/bin/bash /usr/bin/konqueror "$1"
so at least it doesn’t mix in the real browser (which caused a mess at times).
Open explorer
The simplest way to start: Open the file explorer:
$ WINEPREFIX=/path/to/winedir /opt/wine-stable/bin/wine explorer
DOS command line
$ WINEPREFIX=/path/to/winedir /opt/wine-stable/bin/wine cmd
This is better than expected: The command session is done directly in the console (no new window opened). Like invoking a shell.
Use with firejail
Windows equals viruses, and Wine doesn’t offer any protection against that. Since the entire filesystem is accessible from Z: (more on that below), it’s a good idea to run Wine from within a firejail mini-container. I have a separate post on firejail.
The execution of the program then looks something like (non-root user):
$ firejail --profile=~/my.profile --env=WINEPREFIX=/path/to/winedir /opt/wine-stable/bin/wine 'C:\Program Files\Malsoft\Malsoft.exe' &
The my.profile file depends on what the Windows program is expected to do. I discuss that briefly in that post, however this is something that worked for me:
include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc private-tmp private-dev # All relevant directories are read-only by default, not /opt. So add it. read-only /opt # # This whitelisting protects the entire home directory. # .cache/wine is where the Gecko + Mono installation files are kept. # They can't be downloaded, because of "net none" below mkdir ~/sandboxed/ mkdir ~/.cache/wine whitelist ~/sandboxed/ whitelist ~/.cache/wine net none nonewprivs caps.drop all noroot # blacklist everything that can be harmed # blacklist /mnt blacklist /cdrom blacklist /media blacklist /boot
Notes:
- Note the “net none” part. Networking completely disabled. No access to the internet nor the local network.
- Be sure to blacklist any system-specific mount, in particular those that are writable by the regular user. Do you have a /hugestorage mount? That one.
- There’s a seccomp filter option that often appears in template profiles. It got a program in Wine completely stuck. It prevents certain system calls, so no doubt it adds safety, but it came in the way of something in my case.
Poor man’s sandboxing
If you’re too lazy to use firejail, you can remove some access to the local storage by virtue of Wine’s file system bindings. This is worth almost nothing, but almost nothing is more than nothing.
$ WINEPREFIX=/path/to/winedir /opt/wine-stable/bin/winecfg
In the “Drives” tab, remove Z:, and in the Desktop Integration tab, go through each of the folders and uncheck “Link to”.
This doesn’t prevent a Wine-aware Windows program to accessing the machine with plain Linux API with your user permissions just like any Linux program, and the root directory is still visible in Windows’ file browsing utilities. Yet, simple Windows programs expect any file system to be mapped to a drive letter, and these steps prevent that. Not much, but once again, better than nothing.