sandboxie v4 out Jan 10, 2013

Pete, agree, the Sandboxie ACL discussion in the AppGuard should have been discussed here, as even Tzuk agrees on this, thanks for the link

With apologisies to BarbC
- windows 7 and Vista https://www.wilderssecurity.com/showpost.php?p=2218170&postcount=2332

- windows 8 (thx to Shadek) https://www.wilderssecurity.com/showpost.php?p=2218209&postcount=2337

I would not strip the bypass traverse checking of the user account (e.g. with GPO), this disables the possibility of a user to navigate through a folder with no access rights to a folder with access righs. When using deny "traverse folder/execute file" don't disable this bypass option it will make the Child directory in example below unaccessible with Windows Explorer and most "file open" dialogs.

Grandparent folder (with access rights)
Parent folder (without traverse folder/execution rights)
Child folder (with access rights

Default situation, when in the grandparent folder, one can click through the Parent Folder to get to the Child folder, with stripped traverse bypass at user rights one cannot click through Parent Folder (guess Microsoft found out afterwards it was not smart to combine the traverse and execute rights, so they came up with a traverse bypass which is now the default)


Regards Kees

 

Hello Pete,

This has been discussed/wanted since mid 2008 over Sandboxie forums. I haven't looked, so not sure if there are any older concerns about it.

I provided a link before:

-http://www.sandboxie.com/phpbb/viewtopic.php?t=3492

There are workarounds, but don't work as expected, especially because whenever one deletes a sandbox, permissions set by the user will be gone. An alternate way would be using an external program to delete contents, but according to my own tests, it doesn't always work as expected, especially with tools like Eraser, mentioned at that same thread as well.

Any folder created under the supervision of Sandboxie, will inherit permissions set by Sandboxie, not by the user...

The ideal solution would be for Sandboxie's author to address this situation once and for all, IMHO. So that no one has to tweak anything, that won't even work 100%.

 

Yeah, unfortunately Sandboxie is explicitly setting permissions on each file/folder (I guess you know that), so therefore the "Inherit from parent" thing doesn't apply.

Along with screwing up some other important stuff, so absolutely don't do that (bypass traverse checking priv for user) in a desktop environment.

 

Downloaded version 4.01.06 in Windows 8 (64bit). No problems so far.

 

No I am not a Sandboxie user, bummer, now I understand the critism, well in that case I doubting additional advantages of SBIE + Chrome versus UAC plus Chrome sandbox with explicit "deny traverse folder/ execute" of User Data and Download directory, with Emet (exploit code prevention) and ZeroVulnability Browser Edition (payload dropper prevention). SBIE is good, but combined with SBIE running HIGH IL (yes thanks M00NB00D for spoiling that party ) and Individual File/Folder permissions (thanks Dr L.P. for mentioning that one ) you are putting all your money on one horse (although SBIE has proven to be solid and not a gamble/bed in the past).

 

I haven't had any desire to do your suggested "Deny execute" ACL trick, since (maybe this wouldn't apply in the sandbox folder, but elsewhere in general) I want to be able to execute stuff myself (XP Admin user)... So my idea/solution (though I haven't "bothered" to set it yet) is to remove Execute permission from CREATOR OWNER. Therefore, running with dropped rights, it's the same as deny execute; but with full admin privs, I can execute as part of the Administrators group.

None of this matters that much, in the sense that anything that drops a file could give itself permissions and/or remove Deny entries as owner. That's why there's also SRP... which could also be bypassed.

I'm not sure what that's about? I see no High IL Sandboxie processes... Everything looks as it should and I'd expect.

 

He made confusion with me mentioning System IL. Not High IL. (They're pratically the same, in the sense that to get System, you need High.)

 

You know it's always a pleasure. Any time.

OK. I have the paid version, because I do like some functionality it offers, but what do you mean it has proven to be solid? Under which scenarios? I'm afraid (for some reality check) that we're still not in a time and age where Sandboxie is massively used by users to be put to test. Hopefully, it won't come to that either. (I do enjoy a bit of security through obscurity.) Accidents do happen, though.

 

OK, the service processes. They wouldn't (couldn't) be anything other than System, AFAIK. So what's that matter? That's just how supervision is done, stuff running in the sandbox doesn't have "direct access" to them... They just handle (proxy) requests on behalf of sandboxed programs -- differently/more so now in version 4.

 

Since 2010, I ran fresh malware samples on my safe-admin setup (can also install unsing run as), only once gotten into a situation in which setting for my temp folder was changed and I was not able to install anymore from Temp.

Extra precaution to prevent this from happening again, disabled macro's in Office, installed AppLocker fix and locked Outlook/Chrome through GPO and added ACL's deny traverse folder/execute file.

So I am quite confident about my setup even when using SRP

 

Tried 4.01.06 in Windows 8 Pro x64bit – but still cannot copy\paste from sandboxed browsers, so have gone back to 3.76.
Will wait until the stable version is released.

 

No problems here on Windows 8 (64bit) (it's not the Pro version though).

 

That is very odd. I do not experience that issue any longer, and I have the same OS as you do. It was fixed completely in the .06 release. Works fine in IE10 and Chrome 26. Are you perhaps using Opera?

 

Using Firefox and Palemoon.
As mentioned in my post #105 – the copy\paste issue seems to be specific to Apache Open Office (no problems copy\pasting to Wordpad\Notepad, etc within Windows 8 Pro)

And my situation is a tad complicated - I have Windows 8 Pro installed as a VM in Virtualbox – and Open Office installed in Windows 7 (my host) – so I have a requirement to copy\paste from my sandboxed browsers in Windows 8 to Open Office in Windows 7.

The only thing that changed with 4.01.06 was that I no longer got the 'Requested Clipboard format is not available' message when trying to copy\paste.
(it's NOT a Shared Folder issue!)

Edit
I failed to read my notes correctly – cannot copy\paste from sandboxed browsers in Windows 8 to anywhere in Windows 7.

 

I posted this in Sandboxie Forums' Problem Reports section.

Cruise

 

Hey Cruise, perhaps (if you haven't tried it) you can get cookies to remain after deleting the sandbox by allowing Direct access to IE cookies instead of adding the IE cookies folder to SBIE's Immediate Recovery list. In Applications>Web browser>Internet explorer, tick to allow direct access to internet explorer cookies.

Bo

 

Bo,

Thanks for that tip. I'll try that today and let you know if it solves my problem.

Cruise

Update: Bo, your suggested setting resulted in an improvement, but v4.01.xx still has cookie issues. To explain, my home page login is now 'remembered', but my gmail login is not (probably because my gmail cookies are stored elsewhere)!

 

.07 has been out since April 29 for those who might have missed it.

Cheers

 

Thanks, I did miss it this time. The betas must not check for updates.

 

Build .07. I have a small but annoying problem. I've created shortcuts for sandboxing programs via Windows shell integration option, pinned them to the taskbar, the programs open in the sandbox but they open to the far right instead of in place of the pinned icon, i.e:


It worked correctly with 3.76. Does anyone have the same problem, and how can I make it work, since taskbar space is sparse.

 

Thanks.

 

Is the latest version 4.01.07 closer to release candidate (RC)? I have Windows 8 on my both of my machines. Just wondering if I am still safer using the older version of Sandboxie or should I switch to the beta version?

 

Sportscubs1272, yes, you are safe using V3.76. If V3.76 is working fine for you, then there is no need for you to upgrade to V4.01.07 at this time. A few days ago I read a post by Tzuk in which he said V4 still needs a little work before the stable is released. If you like to try the latest beta, I ll say go ahead, I am using it in my XP and W7 and only have one issue with one program in XP, none in W7.

Bo

 

V4.01.08 is out, people that haven't tried V4 and like to try it, can get the installer from here.

http://www.sandboxie.com/phpbb/viewtopic.php?t=14453

Installing/uninstalling Sandboxie takes seconds and doesn't break computers. If you decide to try this version and find an issue between SBIE and another program, help Sandboxie by reporting the problem in the SBIE forum.

Bo

 

Thanks for the heads up to. 08

Been finding it a problem in the last beta. 07 where the delete command is not working as expected when issuing delete contents of sandboxes and so have to manually take that task. Otherwise its solid as its always been.

Regards Easter