My friend wants to learn how to use sandboxie.

Discussion in 'sandboxing & virtualization' started by cheater87, Aug 11, 2011.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    There's something a bit more concerning than this DropRights thing, though. IMHO. :argh: :argh:

    As you may be aware, Sandboxie settings are not created per-user. The settings of a sandbox will affect ALL users, etc. There's no separation... I wonder why... o_O I hope this will be done in the future, though.

    Anyway, suppose you're using your browser... simply searching stuff... You save docs, etc to a folder, that you happened to open to see their content.

    Then, all of a sudden nature calls and you only remember to suspend your session, simply because you don't want to re-open stuff all over again.

    Another person, who you share the computer with (who was not at home, at the moment, but simply just arrived :D), starts his/her session... they can simply see if you got any files, etc... pr0n images :blink:... etc

    Dangerous life I tell you. :argh:

    What's your take?
     
  2. wat0114

    wat0114 Guest

    You mean the Content.IE folder as an example? It looks like the history of another account, even the admin's, can be viewed even after the session's closed, unless the contents were deleted when the sandbox was closed.

    OTOH, what's to stop someone inclined to snoop from booting in to a live Linux session and gaining access to everything in all accounts?
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Different user accounts shouldn't have access to the sandboxes of another account. There should be isolation. User A shouldn't be able to access content from User B.

    But, why should that be a reason for Sandboxie not provide the isolation between user accounts?

    And, I thought you weren't a fan of ifs. :D
     
  4. wat0114

    wat0114 Guest

    I agree.

    Just stating the fact that physical access to one's pc could mean game over if someone's determined to steal data from it ;)

    What is ifs?
     
    Last edited by a moderator: Aug 25, 2011
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, but we shall not make their lives any easier. :p

    If... If... If... and so on. What you mentioned was an if... so ... ifs. :D
     
  6. wat0114

    wat0114 Guest

    ha-ha, I see :D
     
  7. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Thanks Sully. I certainly understand why you do it the way you do. It eliminates any chance of confusion. But I was wondering if my method (using 2 different sandboxes for the same browser) in effect made me just as secure?

    I have one sandbox simply named "Firefox", which I use most of the time. I have it set up with some convenience in mind, like allowing direct access to bookmarks, and for videos to play (i.e. flash/plugin-container allowed to run). Then I have another sandbox called "FirefoxSecure", in which the only things allowed are firefox itself, Keyscrambler, and my add-ons. Both are set up to auto-delete the box when the session is closed.

    Would this accomplish the same from a security standpoint as using 2 separate browsers? Or is there some added benefit besides eliminating confusion to use 2?
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    As an example, suppose the sandbox with direct access to the bookmarks were to somehow create a bookmark that could be harmful. You delete the contents of this sandbox, but the bookmark was real, so it stayed.

    Next you open your more secure sandbox. When it starts, it will use the same bookmarks file that the other sandbox used. It you click on that link, the bad thing happens. It did not matter that you deleted files. What mattered was that each sandbox used the same files, and any exploit would be common to both.

    Knowing that, you could limit direct access. You could deny the more sensitive sandbox from having access to the places the non-sensitive sandbox might modify. There are many ways to work around it. And the bookmark is not a great example of an exploitable item, but I am only pointing out how the data can be used in both sandboxes because they both share a common parent.

    What I did with 2 browsers was to take away any possibility of such things. I am confident that if you really want to use firefox in two sandboxes, you can achieve it. It might be more complex. What the heck though, doing complex things is a great way to learn.

    Sul.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.