Ubuntu
libcap2 package

setcap does not provide WINE access to port < 1024 for Hotspot Shield

Bug #695581 reported by rusivi2
4
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libcap2 (Ubuntu)
Invalid
Low
Unassigned

Bug Description

Binary package hint: libcap2

1) lsb_release -rd
Description: Ubuntu 10.10
Release: 10.10

2) apt-cache policy libcap2-bin
libcap2-bin:
  Installed: 1:2.19-2
  Candidate: 1:2.19-2
  Version table:
 *** 1:2.19-2 0
        500 http://us.archive.ubuntu.com/ubuntu/ maverick/universe i386 Packages
        100 /var/lib/dpkg/status

apt-cache policy wine1.3
wine1.3:
  Installed: 1.3.10-0ubuntu1~maverickppa1
  Candidate: 1.3.10-0ubuntu1~maverickppa1
  Version table:
 *** 1.3.10-0ubuntu1~maverickppa1 0
        500 http://ppa.launchpad.net/ubuntu-wine/ppa/ubuntu/ maverick/main i386 Packages
        100 /var/lib/dpkg/status

Hotspot Shield 1.56

3) What is expected to happen is when one runs any permutated combination of the following:

sudo setcap cap_net_bind_service=+ep /usr/bin/wine

sudo setcap cap_net_bind_service=+ep /home/rusivi/.wine/drive_c/Program\ Files/Hotspot\ Shield/bin/openvpntray.exe

wine openvpntray.exe

WINE successfully binds to a port < 1024.

4) What happens instead is WINE does not bind to a port < 1024 (please see attached wine openvpntray.exe.txt). For context please see:
https://bugs.launchpad.net/ubuntu/+source/wine1.2/+bug/684611

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: libcap2-bin 1:2.19-2
ProcVersionSignature: Ubuntu 2.6.35-24.42-generic 2.6.35.8
Uname: Linux 2.6.35-24-generic i686
Architecture: i386
Date: Wed Dec 29 23:02:49 2010
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
ProcEnviron:
 LANG=en_US.utf8
 SHELL=/bin/bash
SourcePackage: libcap2

Revision history for this message
rusivi2 (rusivi2-deactivatedaccount) wrote :
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for submitting this bug report and helping to make Ubuntu better.

Do you know exactly how wine goes about executing the .exe file? Could you provide the output of starting the program through strace?

Changed in libcap2 (Ubuntu):
status: New → Incomplete
importance: Undecided → Low
Revision history for this message
rusivi2 (rusivi2-deactivatedaccount) wrote :

Serge Hallyn, thank you for responding to this bug.

> Do you know exactly how wine goes about executing the .exe file?

No, but if you have a more specific question, a better answer may be produced.

> Could you provide the output of starting the program through strace?

See attached strace.log.bz2 performed at the Terminal:

sudo setcap cap_net_bind_service=+ep /usr/bin/wine && strace -o
/tmp/strace.log -f -tt -s 256 wine /home/rusivi/.wine/drive_c/Program\
Files/Hotspot\ Shield/bin/openvpntray.exe

lsb_release -rd
Description: Ubuntu 10.10
Release: 10.10

apt-cache policy wine1.3
wine1.3:
 Installed: 1.3.13-0ubuntu1~maverickppa2
 Candidate: 1.3.13-0ubuntu1~maverickppa2
 Version table:
 *** 1.3.13-0ubuntu1~maverickppa2 0
       500 http://ppa.launchpad.net/ubuntu-wine/ppa/ubuntu/ maverick/main
i386 Packages
       100 /var/lib/dpkg/status

Changed in libcap2 (Ubuntu):
status: Incomplete → New
Revision history for this message
Daniel Martin (consume-noise) wrote :

Just skimmed through strace.log:
/usr/bin/wine doesn't bind to the socket itself. It executes other binaries. One of the binaries does the binding.
Permitted capabilities are not applied to such "sub" processes. (They would survive a clone or fork.) But, capabilities with the inheritable flag are.

You could do:
a) set the inheritable flag for the capability, so it would be applied for "sub" processes
or
b) set the permitted capability on the binary actually binding to the socket (Which should be /usr/bin/wine-preloader, if I've read the log correctly.)

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks, Daniel. (In the past I wasn't able to d/l the file)

In particular, the failed ping is attempted by 12687 which is a grand-child of the task which did:

12680 00:22:40.854292 execve("/usr/bin/wine-preloader", ["/usr/bin/wine-preloader", "/us
r/bin/wine", "C:\\Program Files\\Hotspot Shield\\bin\\openvpnas.exe"], [/* 40 vars */] <
unfinished ...>

Note that (a) is not sufficient. The wine process (or a small wrapper for the wine process) would have to enable the capability in its pI, in addition to the capability being set in fI for wine-preloader. For example, you should be able to:

   sudo setcap CAP_NET_BIND_SERVICE=i /usr/bin/wine-preloader
   sudo capsh --inh=cap_net_bind_service --uid 1000
   # <your wine command>

The capsh part could be automated with a wrapper (which would have cap_net_bind_service in its permissions).

Changed in libcap2 (Ubuntu):
status: New → Invalid
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

(Marking invalid because it's not a bug in setcap, but please let us know if some version of the above does not suffice for your needs)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.