picasa linux security risk - mitigation?

5 views
Skip to first unread message

fuherb

unread,
Jun 26, 2009, 3:00:13 AM6/26/09
to Google-Labs-Picasa-for-Linux
Hi, I am using Picasa3 for Linux.
I note that the default wine driver map used by Picasa is to map the
Z: drive to my / (root) directory. I feel a bit unsecure as this open
up the system folders to wine. There have been discussions around
whether this can post a security risk.
I tried to modified the link of Z: to a photo folder in my /home/user
directory. But with that picasa will not start. If I remove the Z:
link completely, then once I start picasa again, the Z: link is mapped
again automatically to /.
Anyway I can modifiy the mapping of Z: and still use Picasa and feel a
bit more secured?

DanKegel

unread,
Jun 26, 2009, 8:08:40 AM6/26/09
to Google-Labs-Picasa-for-Linux
On Jun 26, 12:00 am, fuherb <fuh...@gmail.com> wrote:
> Hi, I am using Picasa3 for Linux.
> I note that the default wine driver map used by Picasa is to map the
> Z: drive to my / (root) directory.  I feel a bit unsecure as this open
> up the system folders to wine.

There are two things to remember here:
1) even if / were not mapped to a drive letter, the app would still
have full access to / via linux system calls. Wine drive mappings
are not a secure sandbox. If you want to sandbox an app,
you'll have to use a stronger method, like a chroot jail.
2) The copy of Wine in Picasa3 for Linux is not invoked
for anything but Picasa3. The attack surface is fairly small;
I can't think of anything offhand other than Picasa's use of
wine's web browser, e.g. to access third party print providers.

> I tried to modified the link of Z: to a photo folder in my /home/user
> directory.  But with that picasa will not start.  If I remove the Z:
> link completely, then once I start picasa again, the Z: link is mapped
> again automatically to /.
> Anyway I can modifiy the mapping of Z: and still use Picasa and feel a
> bit more secured?

You could use Picasa for Windows on vanilla Wine; then you'll
have more control over the Z: mapping. I don't think that
really adds much security, though.
- Dan
Reply all
Reply to author
Forward
0 new messages