Go Back   Cockos Incorporated Forums > REAPER Forums > REAPER for Linux

Reply
 
Thread Tools Display Modes
Old 08-14-2017, 06:13 PM   #1
mikeypee
Human being with feelings
 
mikeypee's Avatar
 
Join Date: Aug 2011
Posts: 660
Default Linux->Wine->VST Security Considerations?

Hey all,

I'm just now using Reaper under Linux, with LinVST to run VST plugins. Now I'm wondering .... what are the security risks of running strange dlls?

I know this is too paranoid, and most (if not all) dll's off KVR are completely harmless. But I have to wonder how much damage a VST could do? Access the internet? Rewrite my home directory?

I was mitigating this before, by simply running Reaper as a different user. So for instance, my username is obviously just "mike", and I have a user called "mike.reaper", and a script that runs reaper under the "mike.reaper" account, which has no privileges. That way, at worst, I'd just lose that account's data and not my own.

But I've been having trouble with LinVST under this method for some reason, and have started running Reaper under my own main user account.

Should I be worried? What are things to consider?
__________________
~~~ Proud Reaper License Owner! ~~~
mikeypee is offline   Reply With Quote
Old 08-15-2017, 03:09 AM   #2
Jack Winter
Human being with feelings
 
Jack Winter's Avatar
 
Join Date: Aug 2007
Location: Luxembourg/Spain
Posts: 1,797
Default

Quote:
Originally Posted by mikeypee View Post
Hey all,

I'm just now using Reaper under Linux, with LinVST to run VST plugins. Now I'm wondering .... what are the security risks of running strange dlls?

I know this is too paranoid, and most (if not all) dll's off KVR are completely harmless. But I have to wonder how much damage a VST could do? Access the internet? Rewrite my home directory?

I was mitigating this before, by simply running Reaper as a different user. So for instance, my username is obviously just "mike", and I have a user called "mike.reaper", and a script that runs reaper under the "mike.reaper" account, which has no privileges. That way, at worst, I'd just lose that account's data and not my own.

But I've been having trouble with LinVST under this method for some reason, and have started running Reaper under my own main user account.

Should I be worried? What are things to consider?
I suppose I have bad news for you. An application running under wine can access the entire filesystem (the same as your user), so essentially there is no sandboxing it runs just like any program that you start. It can also use the internet, the only way I know of to disable this is to run it under a different user login, and to restrict internet access via your firewall.
__________________
Reaper for Linux Documentation (WIP). Software: Archlinux/KDE, Fabfilter FX, Komplete 8, Nebula, Schwa/Stillwell, T-racks Max/Amplitube/SVX, etc. Gear: i7-2600k/4700HQ/16GB, RME Multiface/Babyface, Behringer X32, Genelec 8040,etc. :)

Last edited by Jack Winter; 08-15-2017 at 06:08 AM.
Jack Winter is offline   Reply With Quote
Old 08-15-2017, 04:33 AM   #3
mikeypee
Human being with feelings
 
mikeypee's Avatar
 
Join Date: Aug 2011
Posts: 660
Default

Crap. That's what I figured.

I mean I knew that about wine, but I was hoping the VST specification itself had its own restrictions, to make a wine-vst safer than a wine-exe, somehow.

I suppose my instinct to run under a different account was correct. Too bad I'm having problems with LinVST under a different account right now :-\
__________________
~~~ Proud Reaper License Owner! ~~~
mikeypee is offline   Reply With Quote
Old 08-15-2017, 08:40 AM   #4
Xenakios
Human being with feelings
 
Xenakios's Avatar
 
Join Date: Feb 2007
Location: Oulu, Finland
Posts: 7,956
Default

Quote:
Originally Posted by mikeypee View Post
I was hoping the VST specification itself had its own restrictions
The VST standard says nothing about what operating system calls are permitted from the plugins and even if it did, enforcing that would be very complicated.
__________________
For info on SWS Reaper extension plugin (including Xenakios' previous extension/actions) :
http://www.sws-extension.org/
https://github.com/Jeff0S/sws
--
Xenakios blog (about HourGlass, Paul(X)Stretch and λ) :
http://xenakios.wordpress.com/
Xenakios is online now   Reply With Quote
Old 09-03-2018, 11:01 PM   #5
monty
Human being with feelings
 
monty's Avatar
 
Join Date: Dec 2015
Posts: 185
Default

These instructions show how to start specific programs without allowing them access
to the internet. It could be useful when starting Windows programs under Wine, if you
don't know what program does over the network, or you simply don't trust the program.

replace "username" with your own username

Step 1.
-------
Create a group called "no-internet" and add your user as a member of this new group:
sudo groupadd no-internet
sudo usermod -a -G no-internet username

Step 2.
-------
Create a script:
sudo nano /usr/bin/ni

with this contents:

#!/bin/bash
COMMAND="$1"
shift
for arg; do
COMMAND="$COMMAND "$arg""
done
sg no-internet "$COMMAND"

And make it executable:

sudo chmod +x /usr/bin/ni

Step 3.
-------
Create a script called iptables_no-internet_rule as follows:

sudo nano /etc/network/if-pre-up.d/iptables_no-internet_rule

with this contents:

#!/bin/bash
iptables -I OUTPUT 1 -m owner --gid-owner no-internet -j DROP


And make it executable:
sudo chmod +x /etc/network/if-pre-up.d/iptables_no-internet_rule


Step 4.
-------
Enable the new firewall settings:
sudo /etc/network/if-pre-up.d/iptables_no-internet_rule


Step 5.
-------
Finished. You can now run any program without allowing that program to access
the network by using this command:

ni program_name [arguments]

Examples:

ni ping google.com
ni wine install.exe
ni firefox

Using this with Wine Launcher Creator is fairly easy, just change wine command from "wine" to "ni wine".



Reaper startup bash script:

nano /home/username/bin/reaper.sh

add:
#!/bin/bash
export WINELOADER='ni /usr/bin/wine'
ni /home/username/REAPER/reaper

make it executable:
chmod +x /home/username/bin/reaper.sh

launch reaper (create starter):
/home/username/bin/reaper.sh
__________________
KDENeon (5.0.0-36-lowlatency) AMD FX-8350, 16GB, GT 630 (nvidia-435), Multiscreen (2x 22", 1x 15"), Reaper (latest) Theme: iLogic Next, Interface: Tascam US-16x08, ControlSurface: Tascam US-2400, Monitors: JBL 4412A, Tascam VL-S3 & Alesis Elevate 3 mkII
monty is offline   Reply With Quote
Old 09-19-2018, 01:19 AM   #6
mike@overtonedsp
Human being with feelings
 
Join Date: Sep 2018
Posts: 38
Default

While it's possible that a malicious (or just badly written) plug-in might be able to do something you don't want - just like any other executable code - keep in mind that trying to spread malicious code deliberately by targeting VST plug-ins, and especially those which run on Linux via Wine, would have to be about the least efficient way to reach the smallest number of users possible.
mike@overtonedsp is offline   Reply With Quote
Old 09-19-2018, 02:17 AM   #7
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 4,615
Default

Quote:
Originally Posted by mike@overtonedsp View Post
While it's possible that a malicious (or just badly written) plug-in might be able to do something you don't want - just like any other executable code - keep in mind that trying to spread malicious code deliberately by targeting VST plug-ins, and especially those which run on Linux via Wine, would have to be about the least efficient way to reach the smallest number of users possible.
Unless it's a targeted attack...

Trying to get malware to spread, is old-fashioned. These days, the dangerous ones are aimed at a small group, or even individuals. Malware used to do damage upon entry. That's why the user noticed it. Targeted malware won't do damage and go unnoticed.

It would surprise me too to see malware in a VST. Hiding in a Word doc, an Excel spreadsheet, or a pdf is much more common.
__________________
“It has become appallingly obvious that our technology has exceeded our humanity” Albert Einstein
cyrano is offline   Reply With Quote
Old 09-19-2018, 04:44 AM   #8
mike@overtonedsp
Human being with feelings
 
Join Date: Sep 2018
Posts: 38
Default

Quote:
It would surprise me too to see malware in a VST. Hiding in a Word doc, an Excel spreadsheet, or a pdf is much more common...
It's true that you can't be too careful, I think there's a common sense risk assessment that should happen when considering if it's safe to install any software (open source too), and especially if it's a random .dll with no verifiable 'provenance' floating around on the internet vs e.g. a signed installer package from a verifiable 'entity'. (Personally I think you are far more likely to encounter bad plug-ins than deliberately malicious ones..)
mike@overtonedsp is offline   Reply With Quote
Old 09-19-2018, 10:00 AM   #9
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 4,615
Default

You'll certainly get bitten by a bug far more often...

But lately there have been a growing number of break-ins in servers of software makers, fi.

How would you react if you got a personal email from, let's say Waves, with an offer to try one of their plugins for 30 days, to see if you'd buy it afterwards at -70%?

I just got one like that, but for security software. Google sent it to the spam folder. And it had a typo in my name. All else looked legit, but the download link went to another AWS instance. And there was no discount. Had it not been for those two things, I might have fallen for it.
__________________
“It has become appallingly obvious that our technology has exceeded our humanity” Albert Einstein
cyrano is offline   Reply With Quote
Old 09-19-2018, 12:05 PM   #10
mike@overtonedsp
Human being with feelings
 
Join Date: Sep 2018
Posts: 38
Default

Quote:
How would you react if you got a personal email from...
(As a developer) I don't normally find myself needing too many of other people's plug-ins but I take the point - it's always wise to be careful.
mike@overtonedsp is offline   Reply With Quote
Old 09-19-2018, 01:16 PM   #11
SmajjL
Human being with feelings
 
SmajjL's Avatar
 
Join Date: Nov 2013
Location: Sweden
Posts: 2,129
Default

Holy principles!-Wow, and I was just to fix my keyboard on my Xperia, and there is learning features how I type
.. guess the know I smile alot then..
I am actually thinking staying Windows since they have known me for a long time anyway and nothing bad have happened in reality yet beeing with MS and that includes using bada-Bing instead of Google

ps: I am calm, wacha mean?
__________________
:)

Last edited by SmajjL; 09-19-2018 at 01:23 PM. Reason: From VST security to... I know, I know.. :p
SmajjL is offline   Reply With Quote
Old 10-03-2018, 11:42 AM   #12
SmajjL
Human being with feelings
 
SmajjL's Avatar
 
Join Date: Nov 2013
Location: Sweden
Posts: 2,129
Default

I would not mind at all if someone pulled out a chair and,andand some Coffee/Carlsberg and explained to me why Linux seems to have this no virus protection needed and the mighty AUR is just, wiiie! get what you need there, all is good.
?
And with a calm soothing voice and meditationmusic in the Bg.. thx
__________________
:)

Last edited by SmajjL; 10-03-2018 at 01:00 PM.
SmajjL is offline   Reply With Quote
Old 10-03-2018, 10:23 PM   #13
Snap
Human being with feelings
 
Snap's Avatar
 
Join Date: Jul 2011
Posts: 850
Default

Quote:
Carlsberg
Seriuosly? Carlsberg? May I have any other beer? LOL.

The AUR is a real mess and should be avoided IMO. It might save you time and effort when building packages, but there's a lot of cruft, abandoned, unmantained and obsolete packages up there. Better learn to make templates and building on your own. Just my two cents...

Virus... Well, there are many other security concerns to consider too. The best method for security is pulling you ethernet wire off (or your wifi management if it applies) and stay away from the interwebs at all times, LOL. Now, seriously, common sense and a bit of know-how are the best antivirus "tools" out there.
Snap is offline   Reply With Quote
Old 10-04-2018, 02:35 AM   #14
SmajjL
Human being with feelings
 
SmajjL's Avatar
 
Join Date: Nov 2013
Location: Sweden
Posts: 2,129
Default

Tuborg works for me also, but for you, I try find another beer as long as it is legal and I shall try it, but just so you know, I don't exactly smile less with those kind of drinks in my system.
So is there any alien re-packers or what's its called now.. to get that is not in the AUR then, just in Manjaros normal or what ever (checked) repos?
Anyway, thanks snap!
__________________
:)
SmajjL is offline   Reply With Quote
Old 10-04-2018, 10:58 PM   #15
Snap
Human being with feelings
 
Snap's Avatar
 
Join Date: Jul 2011
Posts: 850
Default

Quote:
Originally Posted by SmajjL View Post
Tuborg works for me also, but for you, I try find another beer as long as it is legal and I shall try it, but just so you know, I don't exactly smile less with those kind of drinks in my system.
Toss me that one!

Quote:
So is there any alien re-packers or what's its called now.. to get that is not in the AUR then, just in Manjaros normal or what ever (checked) repos?
Anyway, thanks snap!
I don't use Arch or Manjaro. But I know there are are some folks offering packages in their own servers or places
like the openSUSE Build Service. An example:

https://software.opensuse.org//downl...package=apulse

^ I totally trust this guy and whatever he packages. I've been following his posts for years in some forums, but
will you trust him? Why? Blindly dropping packages found somewhere built by who-know-who's-this-guy himself
into your system is not a good idea. This applies to the AUR too.

Best practice is trusting your distro repos, what you package on your own, and perhaps occasionally grabbing a package
here and there packaged by someone reliable who deserves your trust... preferably signed packages, BTW. (Something
that is missing for Reaper downloads, and it's not nice besides I trust the team).

I know. Compiling and packaging can be bothersome and painfully time consumming sometimes. But you won't compromise
your system with alien packages of uncertain quality.
Snap is offline   Reply With Quote
Old 10-05-2018, 04:25 AM   #16
SmajjL
Human being with feelings
 
SmajjL's Avatar
 
Join Date: Nov 2013
Location: Sweden
Posts: 2,129
Default



Yeah, same would go for that otto bleeding edge GIMP fellow I think, think I am comfortable with that guy by now, and eum eum, the Manjaro Philips guy also, hmm, yep.
I am also going Bitwig combo soon also so, I am vvvery minimal "biased"-locked-in soon for Windows, SmajjL-soon.. (good news)
__________________
:)
SmajjL is offline   Reply With Quote
Old 10-06-2018, 01:03 AM   #17
Snap
Human being with feelings
 
Snap's Avatar
 
Join Date: Jul 2011
Posts: 850
Default

Exactly like that! A perfect tossing act LOL.
Snap is offline   Reply With Quote
Old 10-06-2018, 11:47 AM   #18
SmajjL
Human being with feelings
 
SmajjL's Avatar
 
Join Date: Nov 2013
Location: Sweden
Posts: 2,129
Default

Yw

And infront of my nose GUFW say "If you are a normal user, (questionable ) you will be safe with this setting (Status=On, Incoming=Deny
I dont use P2P or FTP or any kind of *Pfts either.. *"excuse me (whipes mouth)

__________________
:)

Last edited by SmajjL; 10-06-2018 at 11:52 AM.
SmajjL is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 07:43 PM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.