SBIE troubles with SRP !

Sully is right, and here is a custom path rule that allows the programs installed on the D partition on our XP machine (it has a C & D partition) to be used under a limited account, otherwise without this exception rule, there is no way a limited user can launch these programs.

 

Thanks for your reply Sully,

I had already understood what you explained in your post. As you know, I already added rules from my first post. It wasn't a matter of how to do it with SRP.

What I wanted was:
the default deny SRP with disallowed, all files, all users except admin and without adding rules, and be able to run with my SUA and UAC enabled, 'Run As Admin' all the programs. At the same time, SRP locked all the programs and I could 'Run As Admin' whatever programs I'd like.

What I don't want is adding extra rules, because these folders and files were not locked and protected anymore by SRP.

That's was the point !

 

Right. But first break down the equation.

1) you are user, call it SUA/LUA or just user, either way you are user.
2) you plan to use UAC to escelate to Admin when needed
3) you wish to lock all programs for User, but not for Admin, which has to 'RunAs' because of LUA/SUA
4) you do not wish to add extra rules -- hmm.

So to solve for this equation then, we must

1) make us a User -- easy.
2) keep UAC enabled -- easy.
3) engage SRP, where deny is the default policy, and it only applies to users NOT admins -- easy.
4) no extra rules -- this is where it breaks down ! You must add extra rules unless you only want to run what is native to SRP, which is anything in c:\windir and c:\program files. All other paths are intrinsically locked because by default SRP only allow execution of those two paths.

So, we can examine more closely what you can expect, or should be able to expect under normal conditions.

As a User you can execute within %windir% and %programfiles%, wherever the path says they are. You cannot execute from any other path, including %profiledir%, this includes the desktop. By default .lnk is denied for a User, so your shortcuts will not work. This is obviously why you remove the .lnk so you can start items in %windir% and %programfiles% easily with links instead of directly from thier respective parent directories.

In your case, you wish to execute something as an Admin, using UAC/RunAs/SuRun or whatever. This should pose no problem normally because Admins are not included in the SRP policies.

But you say you don't want to add extra rules. I will read further into this than you mean because someone else will read this and might not understand. In your case you have installed programs to K:\program files\programs.. SRP by default does not know of this, and when you execute as a User, SRP dutifully says no, it is not allowed.

Should you run as Admin, SRP ignores you because it is supposed to. So the only way you will ever get SRP to allow the User to execute anything in K:\Program Files\... is to make a rule for it. The rule can be wide open, thus k:\program files\* would work, or perhaps you know only a few programs you will like to allow and make more specific path rules for just those. The same goes for any other directory other than something within %windir% or %programfiles%, it will need a rule applied to allow it.

Now let us look at Sandboxie in this context. As a user, you are allowed to run anything within %programfiles%, so you can start SBIE itself without issue. So if you choose to start iexplore.exe in SBIE, it is no issue. But in your case, you have maybe firefox installed to k:\program files\mozilla\firefox, so when you execute firefox.exe into SBIE, SRP intercepts and says there is no rule for K:\program files\mozilla\firefox\firefox.exe, and it denies it. Even though SBIE is allowed, SRP is blind. SRP only cares about 2 things, if there is a path allowing, and if it is Admin or User requesting. Thus, adding the extra rule into SRP to allow K:\program files solves this issue.

Whether or not dll inclusion can be turned on or not seems to be up in the air. Whether you would have to add c:\sandbox to SRP path rule is also something up in the air. I did not try, but could imagine that possibly you tried to execute from within sandbox you will have 2 results.

First, execution is read by SRP, and it sees the legitimate path as c:\sandbox\drive\program files\path\program.exe, and it refuses because in there is no path rule for c:\sandbox* and default-deny means to deny.

Second, execution is read by SRP, but it sees the virtual path c:\program files\path\program.exe and processes accordingly. Which of course means the program could execute because SRP thinks the path is a real path not a virtual one.

Now that all that is done, if I read you correctly, you are wishing to engage SRP default-deny, which locks all but %windir% and %programfiles%. You then wish to run as SUA/LUA, and with no extra path rules, nothing is allowed but those 2 defaults. Then, you wish to login as SUA/LUA, and only run, as Admin, via UAC/RunAs the specific programs you wish. Leaving you with normal use, no program at all ever running, as a User, unless you very specifically start it as an Admin. I think that is what you are wanting.

So you could leave %windir% in place, and then open very specific %programfiles% directories to fine tune just what cannot be ran. This way then, you lock down much more to never running unless you specifically say so, and then only as Admin.

I like your crooked way of thinking, right along the lines of what I would do. But I must ask, what would you find to be advantageous of running programs as Admin only? You realize of course that as an example, you do this thing you are thinking. Login as User, nothing runs, but you start Firefox to browse, and the only possible way is to start as Admin, because that is how your system is designed to be. So FF starts, but as Admin. Now you have given root privelages to a program that is connected to the wild world of wierdos (aka www) and have no recourse to stop what it might do except through means other than the OS is offering.

I see your madness though with the inclusion of SBIE. You wish to lock down anything, but run everything in SBIE maybe? Thinking this way, you start the computer, nothing can run because of SRP, and with UAC/RunAs you need to give permission to start as Admin. So now you can start Firefox as Admin, but also have SBIE forcing Firefox into a sandbox. This way, only what you want starts, requires specific action to start, and when it does is automatically forced into SBIE.

Am I even close to what you are thinking? lol, it seems so. I love looking at and trying things from obtuse angles, just like this. Or maybe I don't know jack beans.

Yeah, forgive this long-winded post and not assuming you don't know, just putting it out there in case someone else might find it useful.

Sul.