Sandboxie Drop Rights setting

[RejZoR]

I'm a bit confused here. What is the purpose of Drop Rights feature in Sandboxie if apps run in isolated environment in the first place? I've tried testing some apps that required admin rights to even install and they refused to even run without disabling Drop Rights setting first. But after i did that, program worked fine but everything was still restricted inside Sandboxie and didn't touch my actual computer.

So, the question here is, what's the purpose of this setting? Sandboxie documentation has very little info on this.

I only use Sandboxie to test apps that i don't know or i don't want them to leave junk on my actual system. I don't use it to protect my browsers or other apps. I use it as a strictly isolated environment and i've also configured it that way (file(s) recovery options disabled).

[KelvinW4]

Maybe thats a way to strengthen sandboxie to prevent any "possible" breakout even though that may not be possible?

[Sully]

The author says it is just a reduced token within the sandbox, nothing special. And that really is all it does, just reduce the token.

It can be used a few different ways, depending on the user. Its main use IMO is that while SBIE keeps things out of the real system, anything can run and the sandboxed environment can contain trojans/keyloggers/viruses etc etc. So with Drop Rights enabled, nothing can assume admin credentials within the sandbox, thus creating better sandbox environment security.

Sul.

[RejZoR]

Well i don't care if something has admin rights INSIDE sandbox. In fact i want it this way, so i see how stuff behaves inside which then shows to me how it would behave on my system with admin rights granted.

I think this only helps if you run browser sandboxed inside and you don't want anything to leak through it into your host system.

[3x0gR13N]

Quote:

Well i don't care if something has admin rights INSIDE sandbox.

Some might, hence the option.

Quote:

I think this only helps if you run browser sandboxed inside and you don't want anything to leak through it into your host system.

Nothing will modify the host system regardless, as mentioned already by Sully- Drop Rights pertains to restrictions within the sandbox, not strengthening its isolating capabilities/preventing "leaks" onto host.
But then there's always the "what if" situation where there's a bug in sandboxie which allows something to leak onto the host and whether Drop rights will mitigate such bug. Regardless, Drop rights isn't really designed to prevent leaks onto host, but only modify Admin rights for programs within the sandbox.

[Sully]

Quote:

Originally Posted by RejZoR

Well i don't care if something has admin rights INSIDE sandbox. In fact i want it this way, so i see how stuff behaves inside which then shows to me how it would behave on my system with admin rights granted.

I think this only helps if you run browser sandboxed inside and you don't want anything to leak through it into your host system.

You miss the point of it though.

A large percentage of SBIE users only start thier browser in the sandbox, and don't really restrict or manage it. They think they are safe because they are using SBIE - which is true for thier system.

However, in using SBIE this way they are creating a persistent environment for thier browser. If an exploit that needs root get into that environment is blocked by the DropRights feature, then that environment remains "more safe" than if it were to be allowed.

The point is, SBIE doesn't stop a trojan or keylogger etc within that environment, and many people will be oblivious to it because they think they are safe just by using SBIE. Users in the know likely use Drop Rights for those and other reasons.

It really has nothing to do with the host system, but everything to do with the sandboxed environment.

I don't use it either, and it sounds like you don't need it either. But in your "testing" to see what something does IF it were to have admin rights, you might also at times want to know IF something can work without admin rights, and that is just another way to use Drop Rights feature.

Sul.

[RejZoR]

Ok then, i was only wondering if this is limited to sandbox only or also to the host system. Since i don't use it to sanbox browser it doesn't really matter like you guys said. I'm running it with purpose of full isolation from host, it makes sense to use Drop Rights if you run browser in it since sandbox itself only prevents exploits from reaching your host, they can still steal your personal data from within sandbox (from the browser which is inside). In that case droping rights makes a lot of sense.

Thx for replies.

[Kees1958]

According to Sully's explanation it adds a limited (user) token to the process or processes launched within the sandbox, so it is for the sandbox.

Sully also mentiones 'persistant' sandbox, e,g, people running a program allways within a special sandbox and keep all the data in the sandbox (e.g. your email program). Dropping rights could prevent malware entering that e-mail sandbox from gaining admin rights WITHIN the sandbox. So it definitely makes sence.

Not using SBIE, but understanding the thought behind this feature, for full isolation I would prefer VM.

[RejZoR]

Well, it depends what you're trying to do with it. I find SBIE much more flexible as it's super fast and always there. Yesterday i was encoding audio files in it just because i didn't want to install encoding software on my actual system, because i needed it just that time. Did the encoding in SBIE, transfered the files out to host and deleted the sandbox content. Job done and host system wasn't made dirty because of the new installed program.

I also have VMWare but it takes much longer to boot, consumes much more memory and isn't as transparent as SBIE.

Thats why i use SBIE a lot lately for such tasks as above.

Is there a way to allow installation of services and system drivers inside SBIE ? If i want to test some antivirus inside quickly, they usually don't work because they can't install drivers. But again, i'd need this only inside sandbox.
Can this be done?

[3x0gR13N]

Quote:

Originally Posted by RejZoR

Is there a way to allow installation of services and system drivers inside SBIE ? If i want to test some antivirus inside quickly, they usually don't work because they can't install drivers. But again, i'd need this only inside sandbox.
Can this be done?

http://www.sandboxie.com/index.php?R...tings#lowlevel
Use with caution.

[RejZoR]

Again, i didn't understand this part. It's again limited to the insides of the sandbox right? It's a bit annoying since help documents don't explicitly say all the settings are strictly limited to the insides of the sandbox only.

Because if this is true, i'll basically have VMWare instantly available from trey which is cool. Not being able to install drivers was the only thing really bothering me. I'll give it a try this evening...

[3x0gR13N]

Quote:

Originally Posted by RejZoR

Again, i didn't understand this part. It's again limited to the insides of the sandbox right? It's a bit annoying since help documents don't explicitly say all the settings are strictly limited to the insides of the sandbox only.

To what would the setting pertain if not the inside of the sandbox?

[RejZoR]

Yeah well, they make it sound like it can interconnect with the host...

[3x0gR13N]

Ah, sorry, I misread your post. I haven't personally tried to use programs which require drivers in Sandboxie, so I don't really know if the changes are made to host permanently or not. I'll try and see for myself.
P.S. make sure to read Driver Installation in http://www.sandboxie.com/index.php?BlockDrivers which is sub-linked in above link.

[Sully]

I have tried heavier apps in sandboxie, and gave up. I use it much like you do, to test apps in or to use a few times a year, transferring the file(s) I need to keep out then deleting the contents. Well, I have one box that I use like that anyway - I have many other uses too

For firewalls and AVs, stuff like that I use a vm. I take a snapshot of the vm just after creation. Then boot into it and "pause" it. When I need to do something in vm, I click "run" and it takes minimal time for it to come out of "pause" state. When I am done, I restore the snapshot, "pause" it, and quit.

I wish sandboxie would play nice with the more meatier applications like firewalls, but it does not, for me anyway.

Sul.

[3x0gR13N]

Quote:

Originally Posted by Sully

I have tried heavier apps in sandboxie, and gave up.

After tinkering with it for the last 15min I gave up as well. There's too much settings in need of change and even after following instructions it didn't work properly.

[RejZoR]

Well, i admit as well that even though i'm familiar with virtualization software, concept of Sandboxie and the way i'm using it is new to me.

Also, most want to restrict the sandbox, i, on the other hand want to give it full capability, just isolated from the host. So i can install anything and run anything in it without restrictions without making my real system dirty.

And i'm slowly getting it. All these settings are designed for you to run your browser in it and give malware little chance of doing anything.
I need it in a bit different way, like i said already i'm using it to quickly install and test programs in it. So for me, i'll really have to enable all these settings which would for a browser sandboxing use make it more vulnerable, but for me it will make Sandboxie to actually work in the first place.

I'll test it today to see how apps that require kernel drivers will work in it.