Permission/Ownership issue

Asked by MiggyMan

After finally getting pipelight to install (involved setting our proxying in wgetrc and symlinking the .wine-pipelight folder to a local dir), i'm having an issue with the permissions on the pipelight folder, notably when it's set to the current user I can view netflix without issue however if I try and change the permissions/ownership to be "user-agnostic", in this case owned by root:users (all users are in the users group) and setting the files to 774 I find that silverlight simply fails to load and just gives a black screen, changing the permissions to 777 makes no difference, only when the folder is owned by the current user does it work which is problematic both because we have multiple users who may be using a machine but also because it will likley cause issues with puppetising the package.

Question information

Language:
English Edit question
Status:
Answered
For:
Pipelight Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Michael Müller (mqchael) said :
#1

Hi,

Wine does not start if the wine prefix is not owned by the user. You can not change this behavior, but you can workaround it.

1. Instead of symlinking the directory, copy the configuration files to some place and change the path inside of them. The Silverlight configuration can be found at /usr/share/pipelight/configs/pipelight-silverlight5.1

Now open the copied file and change the winePrefix to something like:
winePrefix = /var/wine/$WINEUSER/.wine-pipelight/

$WINEUSER will be replaced with the username when running pipelight and is almost identical to $USER environment variable (it only closely follows the logic of Wine to determine the username). You can NOT use /var/wine/$WINEUSER-wine/ because wine also does not create the wine prefix if the parent directory is owned by someone else. So you need to make sure that /var/wine/$WINEUSER/ is created during the login and is owned by the user. I do not know your setup, but it sounds like you are using NFS and LDAP or some other way to synchronize your users, so that it may be a good way to use PAM to create the necessary directory. I have not tested it, but the following PAM config entry may help you:

session optional pam_exec.so mkdir /var/wine/$PAM_USER/

If this is not possible for you, we may also talk about patching wine to allow this, since I do not see much sense in requiring that the parent directory must be owned by the user.

2. Now you need to place the file at some position where Pipelight can find it. You can either copy the configuration into each users home directory or put them on every machine under /etc, whatever is easier to setup for you.

User specific: $HOME/.config/pipelight-silverlight5.1
System specific: /etc/pipelight-silverlight5.1

Michael

Revision history for this message
Sebastian Lackner (slackner) said :
#2

Michael is right, most of this are unfortunately restrictions by Wine
itself, not Pipelight.

I just wanted to add: It probably helps when you provide some more details
about the system. There are a lot of possibilities, but not sure if they
are required/suitable for your setup. For example:

* We have an kernel patch to allow using XATTR on tmpfs file systems, so
all wine prefixes could be located in /tmp if this is an option.
Disadvantage is that it has to be reinstalled after each reboot, and that
wine refuses to create a subdirectory when not using one of the workarounds
above.

* By setting winePath in the config to a short bash wrapper script its also
possible to create required directory structures, and afterwards start wine
with modified parameters. A simple script like below should be sufficient:

-----
#!/bin/sh
... here code to create necessary directories if they don't exist ...
if [ ! -d .... ]; then mkdir ...; fi

exec /opt/wine-compholio/bin/wine "$@"
-----

Regards,
Sebastian

2014-08-21 15:31 GMT+02:00 Michael Müller <
<email address hidden>>:

> Question #253397 on Pipelight changed:
> https://answers.launchpad.net/pipelight/+question/253397
>
> Status: Open => Answered
>
> Michael Müller proposed the following answer:
> Hi,
>
> Wine does not start if the wine prefix is not owned by the user. You can
> not change this behavior, but you can workaround it.
>
> 1. Instead of symlinking the directory, copy the configuration files to
> some place and change the path inside of them. The Silverlight
> configuration can be found at /usr/share/pipelight/configs/pipelight-
> silverlight5.1
>
> Now open the copied file and change the winePrefix to something like:
> winePrefix = /var/wine/$WINEUSER/.wine-pipelight/
>
> $WINEUSER will be replaced with the username when running pipelight and
> is almost identical to $USER environment variable (it only closely
> follows the logic of Wine to determine the username). You can NOT use
> /var/wine/$WINEUSER-wine/ because wine also does not create the wine
> prefix if the parent directory is owned by someone else. So you need to
> make sure that /var/wine/$WINEUSER/ is created during the login and is
> owned by the user. I do not know your setup, but it sounds like you are
> using NFS and LDAP or some other way to synchronize your users, so that
> it may be a good way to use PAM to create the necessary directory. I
> have not tested it, but the following PAM config entry may help you:
>
> session optional pam_exec.so mkdir /var/wine/$PAM_USER/
>
> If this is not possible for you, we may also talk about patching wine to
> allow this, since I do not see much sense in requiring that the parent
> directory must be owned by the user.
>
> 2. Now you need to place the file at some position where Pipelight can
> find it. You can either copy the configuration into each users home
> directory or put them on every machine under /etc, whatever is easier to
> setup for you.
>
> User specific: $HOME/.config/pipelight-silverlight5.1
> System specific: /etc/pipelight-silverlight5.1
>
> Michael
>
> --
> You received this question notification because you are an answer
> contact for Pipelight.
>

Revision history for this message
Michael Müller (mqchael) said :
#3

@ Sebastian:
I think your last idea does not work properly, because we have the same check in our install-dependency script and it checks the permissions of the parent directory of the wine-prefix. This should fail if the parent directory does not exist and Wine will not even start. This was added to prevent MDM to load the plugin.

---snip----
if [ ! -w "$WINEPREFIX" ]; then
 WINEPREFIX_PARENT="$(dirname "$WINEPREFIX")"
 if [ ! -w "$WINEPREFIX_PARENT" ] || [ ! -O "$WINEPREFIX_PARENT" ]; then
  echo "[$PRG] ERROR: You're running this script as a wrong user - WINEPREFIX or parent directory not owned by you." >&2
  exit 1
 fi
fi
---snip---

Example:
$ dirname /var/does/not/exist
/var/does/not

The test if the directory is writable and owned by the user will fail.

Michael

Revision history for this message
Sebastian Lackner (slackner) said :
#4

Michael is right, but it doesn't completely destroy the idea ;) It would
just be necessary to wrap the dependencyInstaller script instead of Wine
directly, and create the directory structures there. Nevertheless it
probably doesn't make sense to speculate too much, would be useful to know
some more details about the system, to decide which approach is the best
one.

2014-08-21 16:02 GMT+02:00 Michael Müller <
<email address hidden>>:

> Question #253397 on Pipelight changed:
> https://answers.launchpad.net/pipelight/+question/253397
>
> Michael Müller posted a new comment:
> @ Sebastian:
> I think your last idea does not work properly, because we have the same
> check in our install-dependency script and it checks the permissions of the
> parent directory of the wine-prefix. This should fail if the parent
> directory does not exist and Wine will not even start. This was added to
> prevent MDM to load the plugin.
>
> ---snip----
> if [ ! -w "$WINEPREFIX" ]; then
> WINEPREFIX_PARENT="$(dirname "$WINEPREFIX")"
> if [ ! -w "$WINEPREFIX_PARENT" ] || [ ! -O "$WINEPREFIX_PARENT" ];
> then
> echo "[$PRG] ERROR: You're running this script as a wrong
> user - WINEPREFIX or parent directory not owned by you." >&2
> exit 1
> fi
> fi
> ---snip---
>
> Example:
> $ dirname /var/does/not/exist
> /var/does/not
>
> The test if the directory is writable and owned by the user will fail.
>
> Michael
>
> --
> You received this question notification because you are an answer
> contact for Pipelight.
>

Revision history for this message
Michael Müller (mqchael) said :
#5

After thinking a bit about it, my pam config line was not sufficient as the directory is still owned by root. Better create a script:

#!/bin/bash
mkdir "/var/wine/$1/"
chown "$1:$1" "/var/wine/$1/"

and simply call it using pam_exec:

session optional pam_exec.so /path/to/script.sh $PAM_USER

One small addition to Sebastian's first idea: Using tmpfs for storing the wine-prefix has the disadvantage that you always get a new Silverlight hardware id. This causes trouble with some VOD services as they limit the number of devices you are allowed to use within a month.

Can you help with this problem?

Provide an answer of your own, or ask MiggyMan for more information if necessary.

To post a message you must log in.