Hack 80. Protect Yourself from Windows Applications


emulators and Windows documents.CodeWeavers's applications under Linux. In fact,
they do such a good job of providing a Windows-like environment that
they can be susceptible to some of the same security issues as
Windows. Use this hack to protect the rest of your computer from the
havoc an emulated Windows environment gone wild can cause.This hack uses sudo to open Windows documents in
a restricted area. Some people use chroot for
this purpose, but the sudo approach accepts a
certain level of risk in exchange for being much easier to set up
than chroot for the same purpose. (A utility
currently in development called chroot_safe
looks like it will be a more promising alternative in the long run.)If you're a Linux user who must use some Microsoft
applications (through CrossOver Office or Wine), this hack lets you
do things such as open nontrusted Microsoft Word files that you get
as email attachments with Microsoft Word itself, yet without risking
the integrity of your other Word documents. For example, you can set
up your Mozilla Mail client to open Word files in this restricted
environment where an infected document can do little or no damage.
Once you understand the methodology you use for Word, you can apply
the same techniques to view any kind of file in a safe, restricted
environment.This hack requires several steps:
- Install sudo, if you don't
already have it installed.Create a user and a group named jail.Install Wine or CrossOver Office as the user jail
in the /home/jail directory.Create the /home/jail/Documents directory, and
give everyone read/write access to the directory.Set up the sudoers file to enable you to run
certain applications as the jail user.Install a special script in /usr/local/bin that
automatically uses Microsoft Word, running in the jailed environment,
to open any Word document in read-only mode.
9.12.1. Get Your Safe Environment Set Up
Create both a user and a group named jail.
Make the jail user a member of the
jail group, but do not add this user to any other
groups. You want the jail user to have as few
privileges as possible. Your Linux distribution probably includes a
graphical application to manage users and groups. If you prefer to
use the command line, one way to create this user is to log in as
root and issue the following commands:
# groupadd jail
# useradd jail -d /home/jail -m -g jail -s /bin/bash
# passwd jail
New UNIX password:
<password>
Retype new UNIX password:
<password>
passwd: password updated successfully
|
Office or Wine in the /home/jail directory. Then
install Microsoft Word or Microsoft Office via your choice of Windows
emulator in the /home/jail directory. Make sure
that you can launch Microsoft Word and that everything works before
you continue.
|
for your distribution. Some distributions package it under the name
sudosh. Log in as root, and run the
visudo command to edit the
sudoers file that controls the behavior of
sudo. Edit the sudoers file
to include these lines:
# Runas alias specificationIn case you're not familiar with
Cmnd_Alias VIEWERS = /bin/rm, /home/jail/cxoffice/bin/winword
Defaults:ALL env_reset
Defaults:ALL env_keep=DISPLAY
Defaults:ALL always_set_home
ALL ALL = (jail) NOPASSWD: VIEWERS
sudo, the Cmnd_Alias
VIEWERS line defines a list of programs to make
available to the jail user. You can add other
viewers to the VIEWERS alias list later if you
want, but until you are certain everything works, keep it simple. The
last line of the example file says that ALL users
on ALL hosts can run as the
jail user without having to enter a password. Save
your changes and exit visudo.Incidentally, the env_reset setting tells
sudo to eliminate all but the most basic
environment variables. This way, your personal environment variables
will not "leak" into the
jail account while you're using
it. env_keep=DISPLAY simply retains the
DISPLAY environment variable so that the program
will show up on the current display. The
always_set_home variable makes sure that when you
use sudo to run a program as the user called
jail, it will set the HOME
variable to be /home/jail instead of retaining
the HOME variable of your user account.While you are still logged in as root, create the following
/usr/local/bin/wordview script:
#!/bin/bashSave your work, and make the file executable:
if [ -r "$*" ]; then
chmod 444 "$*"
cp "$*" /home/jail/Documents
filename=$(basename "$*")
cd /home/jail/cxoffice/bin
sudo -u jail /home/jail/cxoffice/bin/winword f:"$filename"
sudo -u jail rm -f /home/jail/Documents/"$filename"
else
echo "No such file, or file is not readable"
fi
# chmod +x /usr/local/bin/wordviewYou have to take care of two obscure details to make this work.
First, you must configure CrossOver Office (or Wine) to equate DOS
drive f: with the
/home/jail/Documents directory.
Here's how to do that with CrossOver Office:
# su - jailIf the DOS drive f: is already defined by
$ cd /home/jail/.cxoffice/dotwine/dosdevices
$ ln -sf /home/jail/Documents "f:"
$ exit
CrossOver Office, choose another driver letter, but make sure it
matches the drive letter in the
/usr/local/bin/wordview script that looks like
this:
sudo -u jail /home/jail/cxoffice/bin/winword f:"$filename"If you are using something other than CrossOver Office, you also have
to adjust one other line in the
/usr/local/bin/wordview script. This line points
to the executables directory for CrossOver Office:
cd /home/jail/cxoffice/binIt needs to be changed to point to the location of the executable
files you are using:
cd /home/jail/<route to your winword executable file>
9.12.2. Give Your Creation a Try
Now you're ready to try it out. Log in as a normal
user and find a Microsoft Word document to which you have legitimate
access (such as a Word document in your home directory). For this
example, assume the file is named dangerous.doc
and is located in your home directory,
/home/carlotta. Log in as
carlotta, start up your favorite desktop
environment or window manager, open a terminal, and issue this
command to open the document using the script you just created:
$ wordview dangerous.docThe script makes a copy of dangerous.doc in
/home/jail/Documents, and then, running as the
jail user, it opens the document as read-only in
Microsoft Word. When you are done viewing the document and you exit
Microsoft Word, the script will delete the temporary copy of
dangerous.doc from
/home/jail/Documents. (This is why you made the
/bin/rm command available to the
jail user. It's not a necessary
step, so you can modify sudoers and the script
accordingly, but it does keep the
/home/jail/Documents directory uncluttered.)
|
9.12.3. Automating Wordview in Mozilla
Not every application makes it possible to
customize
what action it will take when it opens a Microsoft Word document.
Some applications that do make it possible don't
make it easy.But it should be easy for Mozilla users. The next time you come
across a Word document while browsing a web page, you can adjust what
Mozilla does when you click Word document links. When you click a
link to a Word document, you should get a dialog box that asks you
what to do (Figure 9-2). Tell Mozilla to open the
document with /usr/local/bin/wordview.
Figure 9-2. Dialog for setting document handling

attachment using Mozilla Mail. Then you can set up Mozilla Mail to
run /usr/local/bin/wordview automatically when
opening attached Word documents.The technique for setting up the Mozilla Thunderbird email client is
a bit different. When you receive a Word document, right-click it and
choose Open. This brings up a dialog that gives you the choice of
saving the file or specifying a program with which to open the file.
In addition, a checkbox (similar to the one in Figure 9-2 for Mozilla) tells Thunderbird to treat this
type of file the same way by default.Unfortunately, it isn't quite as easy to make the
Mozilla Firefox browser behave this way. I expect this limitation
will disappear as the application matures. Fortunately, it looks like
Firefox inherits the setting from Thunderbird. After setting up
Thunderbird to view Word documents with
wordview, that setting seems to have magically
appeared in the preferences dialog for Firefox.
9.12.4. Preparing for Unlikely Damage
With everything protected in a sudo jail, the
worst possible damage a virus could do is to infect your copy of
CrossOver Office. Even though I am not aware of any virus that can
attack CrossOver or Wine, it is theoretically possible, because both
mimic Windows very closely. If you're worried this
might happen, make a backup copy of CrossOver Office and your
installation of Microsoft Word as soon as you're
done installing these packages. If anything damages either CrossOver
Office or Microsoft Word, you can overwrite the damaged files with
the backup copy. Make sure you back up both the hidden and unhidden
CrossOver Office directories:
# cdIn the unlikely event that you have to restore a damaged CrossOver
<backup directory>
# tar cjvf crossover.tar.bz2 /home/jail/.cxoffice /home/jail/cxoffice
Office environment, here's how to restore it:
# cdObviously, if you are using Wine or some other means of running
<backup directory>
# tar jxvf crossover.tar.bz2 /home/jail/
Microsoft Word, back up those directories instead of
/home/jail/.cxoffice and
/home/jail/cxoffice.