Sandboxie - Drop My Rights

What will dropping rights for sandboxed applications do? Will the programs run in a "LUA-like" environment? If it does, than that should mean that I will not be able to save files to "C:\Program Files\", right? But, I can. Can anyone tell me how?

 

A short explanation about DR in SBIE
http://www.sandboxie.com/index.php?RestrictionsSettings#drop

 

you can save files but when you run them it is like if you are in safe mode,any executable files will not run properlly

 

I question Sandboxie's Drop Rights ability.

anyone remember HTAAA HTAAAB HTAAAC STOP tests?
https://www.wilderssecurity.com/showthread.php?t=239942

 

I do agree that no "Permanent" damage is done, I am not denying that.

I was just questioning The "Drop My Rights" ability? Because isn't Drop My Rights supposed to be used for to run Unknown or Untrustworthy Programs??
If it can't properly control the behavior of programs such as in the tests we talked about in the some test thread, then what good is it even having the Drop My Rights Feature?

 

And also this is the Main reason why I switched from sandboxie to Defense wall,

because Defense Wall seems to have a much better ability in controlling the behavior of Untrusted programs than what Drop My Rights in Sandboxie has.

If you think about it Logically Defense Wall has to be able to control the behavior of Untrusted programs it is an absolute must, because it doesn't have a anti executable feature to prevent malware from running where as Sandboxie does. It does how ever have a "Stop attack" Feature which can terminate any running malware being a nuisance

 

I question it also, I think its' useless and poorly programed. I like Sandboxie overall and use the run access settings to handle any unknown or unwanted exe files. I did ask about it at their forum but just got brushed off as if I was asking about something the dev didn't want to talk about (or knew little about) - but it was no biggie. Would an LUA/SRP have handled those "Stop Tests"? I am not too good on LUA. I know it limits what can be installed, and where, but those exe files didn't need any install - they were standalone, if I remember correctly. But like I said, I am not too up on LUA.

 

I stated that "I question it also, I think its' useless and poorly programed" in direct response to Arran also questioning the Drop Rights feature of Sandboxie. So it should be fairly obvious that since I went on to say that I did use the program and said good things about it, that I meant that my opinion was that the Drop Rights feature was useless and poorly programed. If you want to infer that I said the entire program was useless and poorly programed, there is nothing I can do about that.

 

Good question, I don't believe any one tested them with LUA/SPR It will be interesting to find out, I'm not too up on LUA either.

He is not saying that all of Sandboxie as a whole is useless and poorly programmed, just the "drop my rights feature"

we are not denying that there is no known malware which can cause permanent damage, we are just questioning the Drop My Rights Abilities

 

See here;
http://www.sandboxie.com/index.php?VersionChanges#v_3_34
Sandboxie version 3.34 released Jan 5, 2009

Then on Jan 8, 2009 (a mere 3 days later)

http://sandboxie.com/phpbb/viewtopic.php?p=30929#30929

Tzuk;

So forgive me if I have little faith in the Drop Rights feature of Sandboxie.....

 

Well (opinion) its useless from the standpoint of that you are already in a sandbox - nothing can install into Program Files or Windows (the real ones I mean) or drivers or services etc etc. If you want LUA in addition to sandboxie, it is right there in Windows for you to set up ..... if the word 'useless' is too much - how about 'Less than usefull'? lol On top of that is the run access settings ........

 

Ah, I knew I could find the comment that bothered me;

http://sandboxie.com/phpbb/viewtopic.php?p=30903#30903

tzuk -

So ... things can be created in the 'Sandboxed\Windows' directory - so my question remains, wth? And my opinion stands, ... useless.

Now, here is where my issue is; Let's say that you are not using Sandboxie. You have LUA in effect. You come across a drive-by keylogger that absolutely needs to install itself in the Windows folder. In this case, it can not install.

Same situation, using Sandboxie; The keylogger is in Sandbox\Windows but thinks it is in Windows. Windows thinks you are installing the keylogger into C:\Sandbox.. and allows it. Both Windows and Sandboxie are helping to allow the keylogger now. You would have to take it upon yourself to include the Sandbox folder in a SRP. So let's say that you do that, what at this point do you need the Sandboxie DropRights to do?

Let's say that you are running as Admin, and using the Sandboxie Drop Rights .... well, by the devs' own words... the install will be allowed, in the Sandbox\Windows folder.

 

All true, and makes the sandboxie drop rights ... 'not necessary'. Use the Sandboxie run access settings instead.

 

If you understand what security descriptor and tokens are, do you still say 'not necessary'? For layman, using SB, it is already a good product without this feature.

If you are logged in LUA, you need not worry anyway. If you are logged in Admin, use SRP to restrict browser to Basic User level, and then don't worry. Just enjoy the fact that what normally would be restricted with browser is now blissfully available inside the sandboxe due to where it's file path is. Nothing better than the browser being restricted yet the user not feeling the restriction.

Sul.

 

In my opinion the Drop-My-Rights thingie wasn't really needed, tzuk just wanted to add yet another layer to his protection. Sandboxie was already close to perfect, at least in my opinion, without DMR, but adding other layers, no matter how "soft", cannot hurt things. Dropping ones rights is not the purpose of Sandboxie, just a "fancy" feature. There are other ways of dropping the rights, tzuk just made it easier for those who are using his program.

Acadia

 

I am only trying to STAY ON TOPIC, and maybe someone then can answer the OPs' first question?

Of course, the fact is that we are talking about something that is running in the sandbox. So, over and above running in the sandbox - what does it add? Already, drivers and services are not allowed. An LUA with or without SRP is not even in this equation. Keyloggers that can not install because they need a driver are not in this equation. Emptying the sandbox periodically is not in the equation. Whether or not Sandboxie is a good or poor program is not in this equation. Any other workarounds that anyone thinks of is also not in this equation.

Pure and simple - over and above the fact of what a program can do in the sandbox - what does the Drops Rights accomplish?

 

I gotta get to work guys, good luck. BTW, the answer is psst... nothing.

 

I don't really know what it does but there have been cases where I tried to install things in sandboxie with it enabled and the install said I needed admin rights to install it, and after disabling it I could install the program.

So it does restrict some things, I'm just not sure what.

 

I would like to know this answer too.

 

A process started into a sandbox, whether you shortcut it, drag and drop or force it, will be stripped of any references of Admin or PowerUser, which will make it essentially a process with only user rights.

Since the default security template in XP's case has now knowledge of a sandbox directory, it is not included in any restrictions. You can write/delete even as a User. So SB's DropRights has no bearing on what is happening that way.

It would seem correct that the DropRights option would refer to the 'virtual file system' within the sandbox directory, but this is not the case. DropRights is seemingly actually dropping rights of the process, for use in the real file system, not necassarily the virtual one. From what I read anyway that is what it says. Think of it as, if it were to escape, any rights it would have had in the real OS were stripped by SB and it is rendered 'infertile'. This applies to an actual exploit where a process escapes SB and is out for real, or when you have by design created a hole in SB to fulfill recovery or downloading or other need.

Sul.

 

Thanks Sully, I appreciate it as you obviously know and understand all of this. Correct me if wrong;

I assume you mean "no knowledge"? And the Drop Rights feature has no bearing (or less than full bearing) on activities within the sandbox?

That is a keen observation and may in fact be a benefit of the feature, however I do not think most users realize how limited the benefits of the feature are.

My statement is that if a user is interested enough to check that checkbox, they would have a concern of doing things right. And it is easy enough (and free) to do it right with other methods.

 

Yes, correct 'no knowledge'.

Tzuk himself stated, it was an option he COULD add, so he DID. I don't think it is a matter of SB trying to do something that other methods might do 'more better'. I think it is just a way to remove those rights from a process, leaving it restricted. This restriction it seems, applies to real process. As I said, if this process escapes SB, it is protected. You don't even have to use an 'alternate method', only SB. And it applies to everything.

Now think about this for a minute, try to see the longer scope. You might use SRP or DMR or whatever to restrict Firefox to a basic user mode. OK, your thinking is why use SB to handle dropped rights when it does not technically work in the SB like it would in the real OS. But, thinking out further. If you use the DR option in SB, then anything started in SB will be a User. Now imagine if that process were to be allowed to interface to the control panel, or a download folder, or someplace in program files or windows. A hole created not by malware or exploit, but by the user who has a custom config to make all his stuff work in SB. With the DR option on, it does not affect what you do in the c:\Sandbox\xyz\xyz folders, but in the real OS. So yes, it does not appear to do much within the Sandbox, but with it, everything is automatically stripped and the restrictions would be felt OUTSIDE the sandbox. Imagine that again, you do nothing except check one box, and ANYTHING started that could ever go OUTSIDE the sandbox would be RESTRICTED.

I know there are other methods of dropping rights, but I do believe this option in SB, while not probably ever being used by most peeps, still offers a pretty good level of 'what if' protection. To me it is actually a big thing. But then I do look at things as different as I can when I can

Sandboxie -- you can run as LUA, you can demote a process that runs in SB, you can use SB option DropRights. All of these, create a reduced privelage. The beauty, the brilliance, the essence, erm you get it, that GREAT THING about Sandboxie, is that once you start a process in Sandbox, you dont' even notice the restrictions ! So peeps in this thread, they are confused. Dont' be. Restrictions don't apply to virtual (or should be psuedo virtual) file systems. You can pretty much, do as if you were an admin, when you or the process started are not admin but user. YET -- if you should ever escape the sandbox, you come crashing back to reality, that WHOA, I am just a user. I love this program more every time I play with it.

Sul.

EDIT: Um, after posting on this topic before and reading lots of threads and playing with SB in different situations, this is what I THINK is happening. I have only time allotted to SB in small amounts so there may be someone in the KNOW who can verify this.