This document outlines security best practices and the shared responsibility model for running WineBot.
WineBot provides a Windows compatibility layer inside a Linux container. Because Wine runs Windows binaries with the same privileges as the winebot user, a compromised Windows application can theoretically access any data within the container or attempt to pivot to your local network.
If your automation does not require internet access, run the container with network isolation:
docker run --network none ...In docker-compose.yml, use an internal network:
networks:
winebot-net:
internal: trueVNC traffic is not encrypted by default. To secure the remote desktop:
- Bind VNC to localhost only:
VNC_BIND=127.0.0.1. - Use an SSH Tunnel to access the desktop:
ssh -L 5900:localhost:5900 user@remote-host
- Always set a strong
VNC_PASSWORD.
Always set an API_TOKEN in production environments. The dashboard and CLI will require this token to perform any actions.
Mount your apps/ and automation/ directories as Read-Only (:ro) to prevent malicious scripts from modifying your local source files or installers. (Enabled by default in compose/docker-compose.yml).
If you discover a security vulnerability in WineBot, please open a GitHub Issue or contact the maintainers directly. Do not disclose sensitive bugs in public comments until a patch is available.