Are actually Bottles secure?

bjoern_tantau , 8 months ago

No, not at all. Bottles just helps you setting up different environments for running programs with Wine. They are not sandboxed in any way. The only thing they do is tell Wine “use this folder as the Windows-C-Drive”. And by default the whole root system is exposed as Z to the Wine environment (with the usual Linux permissions). And even if the root drive were not exposed there are not any mechanisms in Wine to prevent a malware from gaining access.

RuikkaaPrus OP , 8 months ago

So… That means the current only way to keep the main system is through Virtual Machines?

bjoern_tantau , 8 months ago

Honestly, I wouldn’t even trust them. If the malware’s goal is to get into your local network it will have achieved that on a virtual machine. And as far as I know there have also been ways to break out of a virtual machine. Probably fixed by now, but who knows what else lurks there.

Just don’t run software you don’t trust.

RuikkaaPrus OP , 8 months ago

I don’t trust in any Windows Application at all, but I think this doesn’t mean I need to live under a rock. This is the reason because I open this Post. So thank you for you help and your time :) You are very cool.

I think is a good option play videogames in a Virtual Machine when is possible. But I just want to feel “more secure” when I need to play in my host machine, for example, using sandboxing.

Zangoose , 8 months ago

There’s a difference between telemetry/tracking which can at least be limited using an isolated VM, and malware which will attempt to take over your computer/network, so it really depends on why you don’t trust the program.

Imo, if you just want to run a program that’s made for windows (and you trust that it isn’t malware), then a VM or potentially even wine by itself would be sufficient. If you want to run something you think might be malware, don’t. No amount of virtual isolation will guarantee protection from malware.

DmMacniel , 8 months ago

Huh? Why do you compare bottles, which is a way of simplifying running windows applications via wine, with flatpaks which contains native linux applications?

RuikkaaPrus OP , 8 months ago

Because Bottles is distributed via Flatpak, which is…

Safe. Sandboxed.

Because…

Your bottles are isolated from the system and will only hit your personal files when you decide.

The full-sandbox is provided and pre-configured only using the Flatpak package (highly recommended).

All other packages still have access to the partial sandbox which isolates the bottle files and prevents them from accessing your homedir.

(This is a extract from the official homepage in the last section)

velox_vulnus , 8 months ago

But Bottles is also distributed as a non-Flatpak apps…

ShiningWing , 8 months ago

None of those are official though, the Flatpak is the only officially supported Bottles version, and the sandboxing is one reason why they recommend using the Flatpak

GustavoM , 8 months ago

Apparently the “logic” behind this is simply, “because both isolate stuff”.

d3Xt3r , 8 months ago

As others have said, no it’s not really secure.

But you could always use something like Firejail or Bubblejail to properly sandbox your applications. Also, using technologies like SELinux or AppArmor helps improve your security profile and could protect you against unknown/future exploits.

But most importantly, the best security measure you can take is keeping your system up-to-date, especially kernel updates. Unfortunately, if you’re using some small-time distro, they may not update frequently or may not be as quick to respond to security incidents. Even some old-time reputable distros have been pretty bad at updating, like Linux Mint for example.

Also, consider using an immutable distro for added security, preferably one which has SELinux enabled and configured out-of-the-box, such as Bazzite.

RuikkaaPrus OP , 8 months ago

I forgot Firejail and Bubblejail. These are good tools. I mean, only need to learn use it xd But actually sounds good.