Sandboxie Plus (Sbie fork)

Discussion in 'Sandboxie (SBIE Open Source) Plus & Classic' started by DavidXanatos, Apr 9, 2020.

Thread Status:
Not open for further replies.
  1. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    About the AnonymousLogon=n option.
    I think a possible better workaround would be to create a dedicated sandboxie user with no rights and use its sid instead of the anonymous one, if that works
    fir the installer. I will investigate that idea further...
     
  2. henryg1

    henryg1 Registered Member

    Joined:
    Jun 14, 2020
    Posts:
    401
    Location:
    uk
    I've now set up a separate sandbox, and added AnonymousLogon=n.

    Seems to work ok on a quick test :thumb:
     
    Last edited: Jun 19, 2020
  3. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Some more info on the msi thing, it seams only the sandboxed msiserver needs to keep its token the other processes do not,
    so the next build will contain a dedicated option MsiServerKeepToken=y to allow only msiexec.exe to keep the system sid.
     
  4. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    What are the security implications of this workaround?
     
  5. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    With an actual system token, even though its restricted, the process can do a few nasty things like creating another process and giving some of its threads an unrestricted token, with that it could attempt to break out of the sandbox.

    This should really be used for installations of things that are at least in principle trustworthy, i.e. apps you want to try before you install for real etc.

    I will update the message about that setting to clarify that applying it is risky.

    The AnonymousLogon=n is a existing setting that was there for a long time jut not documented, it was intended for debugging use.
     
    Last edited: Jun 19, 2020
  6. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Good to know, thanks!
     
  7. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    I have localized the issue with the MSI installer...

    with the anonymous token the call to __sys_CreateProcessInternalW_RS5 fails with error ERROR_INVALID_OWNER

    what is strange though is that other calls to that function work in similar circumstances.

    So may be there will be soon a proper fix for the MSI problem :D
     
  8. henryg1

    henryg1 Registered Member

    Joined:
    Jun 14, 2020
    Posts:
    401
    Location:
    uk
    Not working on my laptop with W10x64 2004. Exclamation mark in SBControl in taskbar notification area. Fine on desktop with 1909.
     
  9. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    could it be that some antivirus blocked/deleted sbiedrv.sys I had it tested on 2004 and it worked fine in my vm.
     
  10. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    I got the exclamation mark when Windows Defender detected the driver and stopped it so that's probably the issue.
     
  11. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    This build finally fixes the MSI installer issue, also it adds some debugging improvements.

    Download: https://github.com/sandboxie-plus/Sandboxie/releases/tag/v0.2.2

    [0.2.2 / 5.41.2] - 2020-06-19
    Added
    • added option SeparateUserFolders=n to no longer have the user profile files stored separately in the sandbox
    • added SandboxieLogon=y it makes processes run under the SID of the "Sandboxie" user instead of the Anonymous user
      -- Note: the global option AllowSandboxieLogon=y must be enabled, the "Sandboxie" user account must be manually created first and the driver reloaded, else process start will fail
    • improved debugging around process creation errors in the driver
    Fixed
    • fixed some log messages going lost after driver reload
    • found a workable fix for the MSI installer issue, see Proc_CreateProcessInternalW_RS5
     
  12. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    It seams in more recent windows versions CreateProcessInternalW_RS5 fails when a process with a restricted token is trying to specify a security descriptor in the lpProcessAttributes field.
    The fix for now is to force this parameter to be NULL on windows > 1803

    with that the MSI installer works just fine, no need to let it keep the system token after all :D
     
  13. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Previously you wrote: "so the next build will contain a dedicated option MsiServerKeepToken=y to allow only msiexec.exe to keep the system sid"

    but I think instead "MsiServerKeepToken=y" you added "SandboxieLogon=y". To use this option we must use the global option "AllowSandboxieLogon=y" and create a user account named "Sandboxie".

    Three questions:

    - "SandboxieLogon=y" is a global option or it must be added to every sandbox individually?

    - To run MSI installers inside Sandboxie apart of enabling the above, is necessary to be logged with the "Sandboxie" user account or just creating it is enough?

    - The new workaround poses a security risk or apps running with that option are completly isolated?
     
  14. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    There is no MsiServerKeepToken as I found a better fix with CreateProcessInternalW_RS5
    so you can run msi installers as isolated as always with the 5.41.2 build. :D

    The SandboxieLogon is a separated feature that may be useful for something some day, I needed it to debug the behavior I observed with the tokens for example to let the processes all get a admin user token or a normal user token, etc....
     
  15. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Nice work, David! Congrats!

    So if I got it right "SandboxieLogon" and "AllowSandboxieLogon" are options available but at the moment are more oriented to help you to debug and are not intended for us the users. Right?
     
  16. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Yes exactly
     
  17. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    Hi I just downloaded the portable version and have a few questions

    1) Because i'm using a dark theme browser I noticed the outline of the sandboxed browser is red in color and thin which is not contrasting with my dark wall-papered desktop. Is it possible to choose and change the color e.g white, yellow, cyan, orange etc to suit different colored desktop wallpaper colors? Have different thickness choice and solid line/long dash/short dash etc would be better for clarity.

    2) When I went to a program on my desktop, say Chromium browser, and right click on it there's no 'Run or Open using Sandboxie?' I remember the older sandboxie has this option.

    Thanks
     
  18. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    1) you can change the border color in the ini file

    2) its portable so obviously it does not integrate with windows explorer ;)
    if you want that integration just install the provided non portable version, you can still use the new UI with it.
     
  19. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    Thanks

    I went to the ini file and found this

    BorderColor=#00FFFF,ttl

    So this is supposed to be RED color?

    How to know what color corresponds to what after the = sign? Where to find those hex for colors?

    And if I want to increase the thickness of the border, how?

    Thanks again
     
  20. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    the color codes can be found here: https://www.computerhope.com/htmcolor.htm
    its a standard also used in html ant many other applications

    BorderColor=#00FFFF,ttl
    is supposed to be yellow if its not for you that you must be using something that messes with the colors on a system level.

    about the line thickness its not configurable
     
  21. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    Thanks again
     
  22. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,760
    Unable to start SbiePlus (sandman.exe) on Windows 8.1 x64 and Win 10 LTSB x64. Starts fine on Win7 x86 and x64 using the same portable directories. Seems to be a problem with kmdutil. What's the purpose of this util?
    SbiePlus.jpg
     
  23. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    hmm... will test that on an older VM asap.
    the kmdutil is responsible for installing, and starting the driver and service.
     
  24. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    hmm... on my vm's it works fine strange
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It's about the dotted lines around "DefaultBox", it's also known as the focus rectangle.

    SBIE 20-6-2020.png
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.