Hack 80. Protect Yourself from Windows Applications

Minimize the risk of viral infection in Windows emulators and Windows documents.

CodeWeavers's (http://www.codeweavers.com) CrossOver Office and Wine enable you to run many Windows applications under Linux. In fact, they do such a good job of providing a Windows-like environment that they can be susceptible to some of the same security issues as Windows. Use this hack to protect the rest of your computer from the havoc an emulated Windows environment gone wild can cause.

This hack uses sudo to open Windows documents in a restricted area. Some people use chroot for this purpose, but the sudo approach accepts a certain level of risk in exchange for being much easier to set up than chroot for the same purpose. (A utility currently in development called chroot_safe looks like it will be a more promising alternative in the long run.)

If you're a Linux user who must use some Microsoft applications (through CrossOver Office or Wine), this hack lets you do things such as open nontrusted Microsoft Word files that you get as email attachments with Microsoft Word itself, yet without risking the integrity of your other Word documents. For example, you can set up your Mozilla Mail client to open Word files in this restricted environment where an infected document can do little or no damage. Once you understand the methodology you use for Word, you can apply the same techniques to view any kind of file in a safe, restricted environment.

This hack requires several steps:

9.12.1. Get Your Safe Environment Set Up

Create both a user and a group named jail. Make the jail user a member of the jail group, but do not add this user to any other groups. You want the jail user to have as few privileges as possible. Your Linux distribution probably includes a graphical application to manage users and groups. If you prefer to use the command line, one way to create this user is to log in as root and issue the following commands:

# groupadd jail
# useradd jail -d /home/jail -m -g jail -s /bin/bash
# passwd jail
New UNIX password: 
<password>

Retype new UNIX password: 
<password>

passwd: password updated successfully

Though you are providing a password, you will configure sudo such that users do not need to enter the password to use the jail account to do things such as view Word documents.

Now log in as the jail user, and install CrossOver Office or Wine in the /home/jail directory. Then install Microsoft Word or Microsoft Office via your choice of Windows emulator in the /home/jail directory. Make sure that you can launch Microsoft Word and that everything works before you continue.

Once you are completely done installing everything you need in the /home/jail directory, you can log out of the jail account and then add another level of safety by editing the jail user entry in /etc/passwd to change the shell from /bin/bash to /bin/false. Using a nonexistent shell makes it impossible for anyone to log in to the jail account to get to a command-line shell.

Now install sudo if it is not already installed for your distribution. Some distributions package it under the name sudosh. Log in as root, and run the visudo command to edit the sudoers file that controls the behavior of sudo. Edit the sudoers file to include these lines:

# Runas alias specification

Cmnd_Alias VIEWERS = /bin/rm, /home/jail/cxoffice/bin/winword

Defaults:ALL    env_reset
Defaults:ALL    env_keep=DISPLAY
Defaults:ALL    always_set_home

ALL ALL = (jail) NOPASSWD: VIEWERS

In case you're not familiar with sudo, the Cmnd_Alias VIEWERS line defines a list of programs to make available to the jail user. You can add other viewers to the VIEWERS alias list later if you want, but until you are certain everything works, keep it simple. The last line of the example file says that ALL users on ALL hosts can run as the jail user without having to enter a password. Save your changes and exit visudo.

Incidentally, the env_reset setting tells sudo to eliminate all but the most basic environment variables. This way, your personal environment variables will not "leak" into the jail account while you're using it. env_keep=DISPLAY simply retains the DISPLAY environment variable so that the program will show up on the current display. The always_set_home variable makes sure that when you use sudo to run a program as the user called jail, it will set the HOME variable to be /home/jail instead of retaining the HOME variable of your user account.

While you are still logged in as root, create the following /usr/local/bin/wordview script:

#!/bin/bash

if [ -r "$*" ]; then
    chmod 444 "$*"
    cp "$*" /home/jail/Documents
    filename=$(basename "$*")
    cd /home/jail/cxoffice/bin
    sudo -u jail /home/jail/cxoffice/bin/winword f:"$filename"
    sudo -u jail rm -f /home/jail/Documents/"$filename"
else
    echo "No such file, or file is not readable"
fi

Save your work, and make the file executable:

# chmod +x /usr/local/bin/wordview

You have to take care of two obscure details to make this work. First, you must configure CrossOver Office (or Wine) to equate DOS drive f: with the /home/jail/Documents directory. Here's how to do that with CrossOver Office:

# su - jail
$ cd /home/jail/.cxoffice/dotwine/dosdevices
$ ln -sf /home/jail/Documents "f:"
$ exit

If the DOS drive f: is already defined by CrossOver Office, choose another driver letter, but make sure it matches the drive letter in the /usr/local/bin/wordview script that looks like this:

sudo -u jail /home/jail/cxoffice/bin/winword f:"$filename"

If you are using something other than CrossOver Office, you also have to adjust one other line in the /usr/local/bin/wordview script. This line points to the executables directory for CrossOver Office:

cd /home/jail/cxoffice/bin

It needs to be changed to point to the location of the executable files you are using:

cd /home/jail/<route to your winword executable file>

9.12.2. Give Your Creation a Try

Now you're ready to try it out. Log in as a normal user and find a Microsoft Word document to which you have legitimate access (such as a Word document in your home directory). For this example, assume the file is named dangerous.doc and is located in your home directory, /home/carlotta. Log in as carlotta, start up your favorite desktop environment or window manager, open a terminal, and issue this command to open the document using the script you just created:

$ wordview dangerous.doc

The script makes a copy of dangerous.doc in /home/jail/Documents, and then, running as the jail user, it opens the document as read-only in Microsoft Word. When you are done viewing the document and you exit Microsoft Word, the script will delete the temporary copy of dangerous.doc from /home/jail/Documents. (This is why you made the /bin/rm command available to the jail user. It's not a necessary step, so you can modify sudoers and the script accordingly, but it does keep the /home/jail/Documents directory uncluttered.)

This is definitely not a good technique for viewing personal or company documents. Even though the script deletes the document after you are done viewing it, the document remains in the Jail directory as long as you have it open. During this time, anyone has the capability to read the document you have open, and they can even save a private copy for themselves. So, reserve the use of this for documents that are coming from an unknown or untrusted source.

9.12.3. Automating Wordview in Mozilla

Not every application makes it possible to customize what action it will take when it opens a Microsoft Word document. Some applications that do make it possible don't make it easy.

But it should be easy for Mozilla users. The next time you come across a Word document while browsing a web page, you can adjust what Mozilla does when you click Word document links. When you click a link to a Word document, you should get a dialog box that asks you what to do (Figure 9-2). Tell Mozilla to open the document with /usr/local/bin/wordview.

Figure 9-2. Dialog for setting document handling

You should see the same dialog if you try to open a Microsoft Word attachment using Mozilla Mail. Then you can set up Mozilla Mail to run /usr/local/bin/wordview automatically when opening attached Word documents.

The technique for setting up the Mozilla Thunderbird email client is a bit different. When you receive a Word document, right-click it and choose Open. This brings up a dialog that gives you the choice of saving the file or specifying a program with which to open the file. In addition, a checkbox (similar to the one in Figure 9-2 for Mozilla) tells Thunderbird to treat this type of file the same way by default.

Unfortunately, it isn't quite as easy to make the Mozilla Firefox browser behave this way. I expect this limitation will disappear as the application matures. Fortunately, it looks like Firefox inherits the setting from Thunderbird. After setting up Thunderbird to view Word documents with wordview, that setting seems to have magically appeared in the preferences dialog for Firefox.

9.12.4. Preparing for Unlikely Damage

With everything protected in a sudo jail, the worst possible damage a virus could do is to infect your copy of CrossOver Office. Even though I am not aware of any virus that can attack CrossOver or Wine, it is theoretically possible, because both mimic Windows very closely. If you're worried this might happen, make a backup copy of CrossOver Office and your installation of Microsoft Word as soon as you're done installing these packages. If anything damages either CrossOver Office or Microsoft Word, you can overwrite the damaged files with the backup copy. Make sure you back up both the hidden and unhidden CrossOver Office directories:

# cd 
<backup directory>

# tar cjvf crossover.tar.bz2 /home/jail/.cxoffice /home/jail/cxoffice

In the unlikely event that you have to restore a damaged CrossOver Office environment, here's how to restore it:

# cd 
<backup directory>

# tar jxvf crossover.tar.bz2 /home/jail/

Obviously, if you are using Wine or some other means of running Microsoft Word, back up those directories instead of /home/jail/.cxoffice and /home/jail/cxoffice.