Sandboxie Drop Rights setting

Discussion in 'sandboxing & virtualization' started by RejZoR, Sep 1, 2012.

Thread Status:
Not open for further replies.
  1. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    I'm a bit confused here. What is the purpose of Drop Rights feature in Sandboxie if apps run in isolated environment in the first place? I've tried testing some apps that required admin rights to even install and they refused to even run without disabling Drop Rights setting first. But after i did that, program worked fine but everything was still restricted inside Sandboxie and didn't touch my actual computer.

    So, the question here is, what's the purpose of this setting? Sandboxie documentation has very little info on this.

    I only use Sandboxie to test apps that i don't know or i don't want them to leave junk on my actual system. I don't use it to protect my browsers or other apps. I use it as a strictly isolated environment and i've also configured it that way (file(s) recovery options disabled).
     
  2. KelvinW4

    KelvinW4 Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    1,199
    Location:
    Los Angeles, California
    Maybe thats a way to strengthen sandboxie to prevent any "possible" breakout even though that may not be possible?
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    The author says it is just a reduced token within the sandbox, nothing special. And that really is all it does, just reduce the token.

    It can be used a few different ways, depending on the user. Its main use IMO is that while SBIE keeps things out of the real system, anything can run and the sandboxed environment can contain trojans/keyloggers/viruses etc etc. So with Drop Rights enabled, nothing can assume admin credentials within the sandbox, thus creating better sandbox environment security.

    Sul.
     
  4. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well i don't care if something has admin rights INSIDE sandbox. In fact i want it this way, so i see how stuff behaves inside which then shows to me how it would behave on my system with admin rights granted.

    I think this only helps if you run browser sandboxed inside and you don't want anything to leak through it into your host system.
     
  5. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    Some might, hence the option. :)
    Nothing will modify the host system regardless, as mentioned already by Sully- Drop Rights pertains to restrictions within the sandbox, not strengthening its isolating capabilities/preventing "leaks" onto host.
    But then there's always the "what if" situation where there's a bug in sandboxie which allows something to leak onto the host and whether Drop rights will mitigate such bug. Regardless, Drop rights isn't really designed to prevent leaks onto host, but only modify Admin rights for programs within the sandbox.
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You miss the point of it though.

    A large percentage of SBIE users only start thier browser in the sandbox, and don't really restrict or manage it. They think they are safe because they are using SBIE - which is true for thier system.

    However, in using SBIE this way they are creating a persistent environment for thier browser. If an exploit that needs root get into that environment is blocked by the DropRights feature, then that environment remains "more safe" than if it were to be allowed.

    The point is, SBIE doesn't stop a trojan or keylogger etc within that environment, and many people will be oblivious to it because they think they are safe just by using SBIE. Users in the know likely use Drop Rights for those and other reasons.

    It really has nothing to do with the host system, but everything to do with the sandboxed environment.

    I don't use it either, and it sounds like you don't need it either. But in your "testing" to see what something does IF it were to have admin rights, you might also at times want to know IF something can work without admin rights, and that is just another way to use Drop Rights feature.

    Sul.
     
  7. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Ok then, i was only wondering if this is limited to sandbox only or also to the host system. Since i don't use it to sanbox browser it doesn't really matter like you guys said. I'm running it with purpose of full isolation from host, it makes sense to use Drop Rights if you run browser in it since sandbox itself only prevents exploits from reaching your host, they can still steal your personal data from within sandbox (from the browser which is inside). In that case droping rights makes a lot of sense.

    Thx for replies.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    According to Sully's explanation it adds a limited (user) token to the process or processes launched within the sandbox, so it is for the sandbox.

    Sully also mentiones 'persistant' sandbox, e,g, people running a program allways within a special sandbox and keep all the data in the sandbox (e.g. your email program). Dropping rights could prevent malware entering that e-mail sandbox from gaining admin rights WITHIN the sandbox. So it definitely makes sence.

    Not using SBIE, but understanding the thought behind this feature, for full isolation I would prefer VM.
     
  9. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well, it depends what you're trying to do with it. I find SBIE much more flexible as it's super fast and always there. Yesterday i was encoding audio files in it just because i didn't want to install encoding software on my actual system, because i needed it just that time. Did the encoding in SBIE, transfered the files out to host and deleted the sandbox content. Job done and host system wasn't made dirty because of the new installed program.

    I also have VMWare but it takes much longer to boot, consumes much more memory and isn't as transparent as SBIE.

    Thats why i use SBIE a lot lately for such tasks as above.

    Is there a way to allow installation of services and system drivers inside SBIE ? If i want to test some antivirus inside quickly, they usually don't work because they can't install drivers. But again, i'd need this only inside sandbox.
    Can this be done?
     
  10. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    http://www.sandboxie.com/index.php?RestrictionsSettings#lowlevel
    Use with caution.
     
  11. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Again, i didn't understand this part. It's again limited to the insides of the sandbox right? It's a bit annoying since help documents don't explicitly say all the settings are strictly limited to the insides of the sandbox only.

    Because if this is true, i'll basically have VMWare instantly available from trey which is cool. Not being able to install drivers was the only thing really bothering me. I'll give it a try this evening...
     
  12. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    To what would the setting pertain if not the inside of the sandbox? :blink:
     
  13. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Yeah well, they make it sound like it can interconnect with the host...
     
  14. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    Ah, sorry, I misread your post. I haven't personally tried to use programs which require drivers in Sandboxie, so I don't really know if the changes are made to host permanently or not. I'll try and see for myself.
    P.S. make sure to read Driver Installation in http://www.sandboxie.com/index.php?BlockDrivers which is sub-linked in above link.
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I have tried heavier apps in sandboxie, and gave up. I use it much like you do, to test apps in or to use a few times a year, transferring the file(s) I need to keep out then deleting the contents. Well, I have one box that I use like that anyway - I have many other uses too ;)

    For firewalls and AVs, stuff like that I use a vm. I take a snapshot of the vm just after creation. Then boot into it and "pause" it. When I need to do something in vm, I click "run" and it takes minimal time for it to come out of "pause" state. When I am done, I restore the snapshot, "pause" it, and quit.

    I wish sandboxie would play nice with the more meatier applications like firewalls, but it does not, for me anyway.

    Sul.
     
  16. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    849
    After tinkering with it for the last 15min I gave up as well. :D There's too much settings in need of change and even after following instructions it didn't work properly.
     
  17. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well, i admit as well that even though i'm familiar with virtualization software, concept of Sandboxie and the way i'm using it is new to me.

    Also, most want to restrict the sandbox, i, on the other hand want to give it full capability, just isolated from the host. So i can install anything and run anything in it without restrictions without making my real system dirty.

    And i'm slowly getting it. All these settings are designed for you to run your browser in it and give malware little chance of doing anything.
    I need it in a bit different way, like i said already i'm using it to quickly install and test programs in it. So for me, i'll really have to enable all these settings which would for a browser sandboxing use make it more vulnerable, but for me it will make Sandboxie to actually work in the first place.

    I'll test it today to see how apps that require kernel drivers will work in it.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.