echo "0"|sudo tee /proc/sys/kernel/yama/ptrace_scope
Short answer: no practical danger yet, but read on for a better way...
What's this ptrace thing anyway?
this is due to a bug in the Ubuntu kernel that prevents ptrace and WINE playing well together.
-
No, ptrace protection is a deliberate kernel security measure first introduced around Ubuntu 10.10. It's not a bug, and so isn't going to be "fixed".
-
In simple terms, the default
ptrace_scope
value of1
blocks one process from examining and modifying another process unless the second process (child) was started by the first process (parent). -
This can cause problems with some programs under Wine because of the way
wineserver
provides "Windows Services" to these programs.
What are the risks in setting ptrace_scope
to 0
?
-
This restores the old behavior where one process can "trace" another process, even if there is no parent-child relationship.
-
In theory, a piece of malware can use this to harm you/your computer; e.g. it can attach to Firefox and log all of your URLs/passwords, etc. In practice this is extremely unlikely unless you blindly install binary debs from random sites, etc.
-
As far as debugging goes, the
0
settings is in fact required forgdb
,strace
, etc. to attach to non-children unless you run them with elevated privileges (sudo).
What are the problems with the workaround?
- The workaround is somewhat problematic because
ptrace_scope
is a global value, and while it's set to0
, all processes on your system are exempt from the non-child restriction. - If you use the workaround, put it in a simple bash script that enables it, runs your Windows program and then disables (sets to 1) on exit.
- DO NOT make
ptrace_scope
world-writable (666) as the forum post recommends -- that is a huge security risk because now any process can change it at will!
- DO NOT make
Is there a better solution?
-
A better solution which is more secure and does not require repetitively modifying ptrace_scope is to grant Wineserver ptrace capabilities.
-
In a terminal:
sudo apt-get install libcap2-bin sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
-
This exempts the wineserver and wine-preloader binaries from the non-child ptrace restriction, and allows them to ptrace any process.
- It only needs to be done once, and is safer because these binaries are usually from a trusted source - the official repositories or the official Wine PPA, so they aren't going to be malware.
-
If you're using Crossover
Install libcap2:
sudo apt-get install libcap2-bin;
Then, add an exception for Crossover:
sudo setcap cap_sys_ptrace=eip /opt/cxoffice/bin/wineserver; sudo setcap cap_sys_ptrace=eip /opt/cxoffice/bin/wine-preloader;
Finally, add its libraries to ld.so.conf (or you will get "error while loading shared libraries: libwine.so.1: cannot open shared object file: No such file or directory"):
echo /opt/cxoffice/lib/ | sudo tee /etc/ld.so.conf.d/crossover.conf sudo /sbin/ldconfig