I already have heared about Bottles sandboxing capabilities, but, how this differs from standard Flatpak sandboxing system? Is really secure execute any Windows Software using Bottles? (yes, every machine have his vulnerabilities blah blah)

  • Björn Tantau
    link
    fedilink
    201 year ago

    No, not at all. Bottles just helps you setting up different environments for running programs with Wine. They are not sandboxed in any way. The only thing they do is tell Wine “use this folder as the Windows-C-Drive”. And by default the whole root system is exposed as Z to the Wine environment (with the usual Linux permissions). And even if the root drive were not exposed there are not any mechanisms in Wine to prevent a malware from gaining access.

      • Björn Tantau
        link
        fedilink
        51 year ago

        Honestly, I wouldn’t even trust them. If the malware’s goal is to get into your local network it will have achieved that on a virtual machine. And as far as I know there have also been ways to break out of a virtual machine. Probably fixed by now, but who knows what else lurks there.

        Just don’t run software you don’t trust.

        • I don’t trust in any Windows Application at all, but I think this doesn’t mean I need to live under a rock. This is the reason because I open this Post. So thank you for you help and your time :) You are very cool.

          I think is a good option play videogames in a Virtual Machine when is possible. But I just want to feel “more secure” when I need to play in my host machine, for example, using sandboxing.

          • @Zangoose
            link
            English
            21 year ago

            There’s a difference between telemetry/tracking which can at least be limited using an isolated VM, and malware which will attempt to take over your computer/network, so it really depends on why you don’t trust the program.

            Imo, if you just want to run a program that’s made for windows (and you trust that it isn’t malware), then a VM or potentially even wine by itself would be sufficient. If you want to run something you think might be malware, don’t. No amount of virtual isolation will guarantee protection from malware.

  • @[email protected]
    link
    fedilink
    121 year ago

    Most malware is written for Windows, especially when it’s distributed as a Windows executable. (Almost) no Windows malware targets Wine specifically. However, Wine on its own is not a sandboxing tool, and Windows ransomware will ruin your day.

    Bottles does two things for security:

    1. Separate wineprefixes
    2. Being a flatpak

    By separating wineprefixes, as long as the host filesystem is not directly exposed (which iirc is default for bottles), any malware not written with Wine in mind will only affect its own “bottle”.

    By being a flatpak, even if some Windows malware specifically targets Wine, it would still have to escape the flatpak sandbox for elevated permissions. If the bottles flatpak has no access to personal files, “Wine-aware” malware won’t either.

    Although malware can still do damage, even in its own sandbox. For example, botnet type malware would still function. The host system is “safe”, but the damage can still be done externally. Usually application-defined “autostarting” of applications is broken under Wine (iirc), which means all non “Wine-aware” malware will only start when an infected windows application is started in bottles.

    Any sandbox will eventually be escaped, and malware sophisticated enough will be able to get access to everything on the host system. The chances of running into malware like this in the wild are extremely small.

    • Is it fully secure? No.
    • Is your virtual Windows environment safe? No.
    • Are other “bottles” safe? Likely, as long as the malware isn’t aware of Wine.
    • Is your Linux host safe? Most likely, depending on your flatpak settings. (and the malware has to specifically target Wine under Flatpak).
    • These are pretty good news! Thank you for explain in a better form the context of situation.

      Actually, sounds cool. Now feel sure I can run cs1.6 no steam with 18 trojans detected by VirusTotal from a pakistani server and don’t scare me because I will use Bottles into a Arch Linux Virtual Machine lmao (this is just a sarcasm, in any case, I also bought cs1.6. I think there are only hackers anyways)

  • macniel
    link
    fedilink
    81 year ago

    Huh? Why do you compare bottles, which is a way of simplifying running windows applications via wine, with flatpaks which contains native linux applications?

    • Because Bottles is distributed via Flatpak, which is…

      Safe. Sandboxed.

      Because…

      Your bottles are isolated from the system and will only hit your personal files when you decide.

      The full-sandbox is provided and pre-configured only using the Flatpak package (highly recommended).

      All other packages still have access to the partial sandbox which isolates the bottle files and prevents them from accessing your homedir.

      (This is a extract from the official homepage in the last section)

    • @GustavoM
      link
      English
      01 year ago

      Apparently the “logic” behind this is simply, “because both isolate stuff”.

  • @[email protected]
    link
    fedilink
    7
    edit-2
    1 year ago

    As others have said, no it’s not really secure.

    But you could always use something like Firejail or Bubblejail to properly sandbox your applications. Also, using technologies like SELinux or AppArmor helps improve your security profile and could protect you against unknown/future exploits.

    But most importantly, the best security measure you can take is keeping your system up-to-date, especially kernel updates. Unfortunately, if you’re using some small-time distro, they may not update frequently or may not be as quick to respond to security incidents. Even some old-time reputable distros have been pretty bad at updating, like Linux Mint for example.

    Also, consider using an immutable distro for added security, preferably one which has SELinux enabled and configured out-of-the-box, such as Bazzite.