As the install was wrapping, it asked the standard question about redirecting the websites, I (probably thinking nothing will happen) didn't uncheck anything, and to my surprise, it opened the Firefox browser on my main system and launched the website: giving me quite the spook

doesn't this mean that anything i install on bottles can somehow still ping home even if I disable networking from Flatseal?

am I being paranoid or is this a serious security flaw?

top 7 comments

sorted by: hot top controversial new old

[–] HappyTimeHarry@lemm.ee 65 points 6 months ago

You are being paranoid. Wine is just calling your default web browser to open the link.

[–] remotelove@lemmy.ca 12 points 6 months ago (1 children)

Check your flatpak permissions for starters.

Flatpak apps operate more like containers and not a full blown sandbox, unless that has changed recently.

This is an interesting blog post on the subject: https://hanako.codeberg.page/

Also, try flatpak run org.mozilla.firefox to see if you can launch a browser manually.

Disclaimer: It's been a bit since I have used flatpak, so take that into account. However, I do work in security by trade, so my quick notes may point you in a decent direction at a minimum.

[–] Chewy7324@discuss.tchncs.de 4 points 6 months ago

After a quick read over some parts of the article, and looking into the Bottles flatpak manifest, I don't think the sandbox escapes listed apply to Bottles - as long as you are exclusively using Wayland-compatible apps besides your games.

Bottles does not have access to $HOME, only through interactive xdg-portals
As long as you are using Wayland, an attacker can only access apps running through XWayland.

Sadly electron is still a pita, so closing Discord and VSCode while gaming would be necessary (or restrict their host access, which would break sharing files in Discord and many more things in VSCode).

So yes, I sadly have to agree, don't rely on a sandbox, unless your not running X11.

Luckily wine will soon support Wayland, so removing X11 access from Bottles would break this specific sandbox escape. Otherwise I do think flatpak/bubblewrap sandboxing is pretty solid.

[–] _cryptagion@lemmy.dbzer0.com 10 points 6 months ago (1 children)

If you disable networking, nothing can "ping home". It didn't ping anything, it opened the default program on your computer for using the web and passed a website request to it. That's standard behavior.

[–] UsemyName@mander.xyz 3 points 6 months ago

but can it do it without the user interacting with it?

[–] SitD@lemy.lol 1 points 6 months ago* (last edited 6 months ago)

since no one said it yet: you can go check your /etc/hosts file if it was tampered with. I'm quite sure your installer just changed a random hosts file inside the wine bottle

[–] kurodriel@lemmy.dbzer0.com 1 points 5 months ago

Rdxerdxxx. Rdddxxrdx. ,,,,,,,,,,,,,,,,, , ,,,,,, ,f