Sandboxie + SuRun = Problems plz help

Discussion in 'sandboxing & virtualization' started by exus69, Sep 17, 2011.

Thread Status:
Not open for further replies.
  1. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Hello everyone,

    I cannot run any Sandboxed programs with admin
    priviliges even after adding SuRun in Sandboxie.

    The same programs run with admin privileges if they
    are NOT configured to run in Sandboxie.

    I dont wanna run all the programs in admin priviliges all the
    time. Its just for eg. if I want to update Firefox

    Please help
     
  2. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I have the same problem bro! :(
     
  3. wat0114

    wat0114 Guest

    @exus,

    I've looked for ways to acheive this in the XP vm, even adding the sandboxie directory to be elevated in Surun, but came up empty handed :(
     
  4. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    maybe someone can report it to tzuk :)
     
  5. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    This is not new. SuRun, while being a great tool, fails when it comes to certain things. In the past, I had issues with SpeedFan, RivaTuner and Unlocker. I would imagine Sandboxie is similar. I place more emphasis on the tools I use daily than I do security, because I don't really have a security issue. Others, they might place different emphasis.

    I fiddled with SuRun for a good bit and did come up with ways to work around it, but none of them satisified me, so I quit using it on my systems.

    Sul.
     
  6. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    yea I ditched SuRun.

    I was hoping Powerbroker Desktop will work with Sandboxie but Sandboxie stops working after Powerbroker is installed. :(
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,056
    Excellent idea. Why don't you join the Sandboxie forum and report it.
     
  8. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    So is there a better alternative to SuRun?? or do you think the default "Run As" (Win XP SP3 + Fully updated) with all the updated third party applications is more than enough and very less likely to create problems??
     
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    You always weight security against convenience.

    As a user, you must have admin rights for admin functions. Historically, one would log out of user, and log in as admin, perform the duties, then log back in as user.

    RunAs is designed to allow the user to stay logged in, and run a process as an admin. When the process closes, so does the admin access it had, and back to user land.

    SuRun attempts to create convenience, just like UAC does. RunAs is somewhat limited, whereas SuRun/UAC both offer features that make it easy to elevate to admin. SuRun goes beyond UAC (or rather, UAC did not come up to SuRun's feature set) with many features, probably the most notable being it can remember your preferences and as it says "automagically" elevate a process.

    There is nothing really quite like SuRun, especially on XP. UAC I suppose is the next best thing in terms of convenience and ease of use. One thing that always bothered me about SuRun was that IF you had it auto-elevate something, and that something ever got compromised, it would then auto-elevate with root and that would not be a good thing. The odds are likely against it, it was just something that always bothered me.

    There are many RunAs tools available. The native RunAs obviously works fine, and the 3rd party ones I have tried never caused issues. They are much more direct than what SuRun does by creating the SuRunners group and such. On most machines none of them will cause issues, of course there is always the chance.

    If you are handy with scripting and you perform the same tasks over and over, there is nothing preventing you from creating your own RunAs scripts, which can be done in multiple script languages. Just as an idea, you could have a bunch of special scripts that start certain programs as admin. This way it is semi-convenient and fairly secure, as a malware/virii would have to know of your scripts to use them against you, which is very unlikely to ever happen.

    SuRun and other methods though, again, bring you convenience of running things as admin without the preparation of scripting - much more flexible.

    If I were you, and I could be a USER most of the time, then I would take a close look at what I really need to elevate. Determine if it is a certain set of tools or activities that you do, and then decide if you could just script them or use one of the RunAs tools easily. Or you may find you never really know what you need to elevate. In this case, you have to decide, do you want the convenience of a SuRun type approach, or can you live with RunAs approach.

    I hate both approaches myself, but only because I am constantly doing something that requires admin. The only things I do that don't are play games sometimes, watch a movie or browse the web doing research. Just about anything else I do on my machine is pretty geeky, messing with stuff that needs admin. You must find out what you do, and make your own concessions that make the most sense to you.

    I cannot think of a replacement for SuRun on XP. There are many RunAs tools though. I don't know if any of them are really something you need to worry about creating problems. As I said, most of what you need to worry about is how inconvenienced you want to be by using RunAs methods.

    Sul.
     
  10. max2

    max2 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    339
    I fully agree with Sul. This has always bothered me about SuRun too and I noticed the same problem you are having with it on my Windows XP machine exus69.

    If you ever have anything automatically accept something for you there is always risk of it getting comprised without you even knowing about it.
     
  11. wat0114

    wat0114 Guest

    "Automagically" elevate is just an option. you're not forced to use it. You can manually elevate the processes you want - when you want - without having to answer a prompt or provide credentials.
     
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    That is very true. I'm not nagging at SuRun, I think it is a great tool for the right job. Without "automagically" elevating a process, it still gives many features of convenience that RunAs does not offer, even if you must input credentials for everything.

    Sul.
     
  13. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I sure am glad my car doesnt require SuRun and reduced admin rights to drive.:blink:
     
  14. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Too good Sul, that was a thorough explanation :) Thanks to you and all the others for reading and giving their inputs.
     
  15. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I'm lazy :argh:

    and I am still waiting for tzuk to fix the problem with PowerBroker Desktop its a convenience tool like SuRun.
     
  16. wat0114

    wat0114 Guest

    No worries Sul, not blaming you either :) I just wanted to set the record straight for anyone who thought it worked only the automagic way.
     
  17. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    There's one scenario where SuRun can fail and that is if you give your laptop to someone say for eg. for some hours or a day or so. In that case, the user can install software even without knowing the administrator password. He would of course know the password of the LUA which he has logged in with. What say?
     
  18. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    31
    I haven't used SuRun lately but I think, if you check in the settings under "surunners group" you can:

    • uncheck "the user can change surun settings"
    • check "users can only run predefined..."

    Now users cannot run as admin unless they change the above, which requires the admin pwd.
     
  19. wat0114

    wat0114 Guest

    That's correct.
     
  20. peterk62

    peterk62 Registered Member

    Joined:
    Feb 10, 2009
    Posts:
    47
    I have been using SuRun on my Windows XP systems and just started playing with Sandboxie (got the full version with the 50% discount). I was also having problems starting arbitrary programs sandboxed (e.g. right-click on a pdf and select "Run Sandboxed") because SuRun would try to run inside the sandbox.

    I have stumbled upon what appears to be a solution to that problem: in the SuRun settings, go to the "Execution Hooks" tab and click the "Blacklist" button, then add the path to "Sandboxie\Start.exe" to the blacklist.

    I am now able to run arbitrary programs in the sandbox without SuRun trying to run in the sandbox as well. Perhaps this will help other people trying to use SuRun and sandboxie...
     
  21. wat0114

    wat0114 Guest

    @peter,

    nice find! Please let us know of any issues.
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That is correct. When you got no wish to have SuRun interception certain processes, you should blacklist them.

    I learnt quite a lot when reading the translation file. :D
     
Loading...
Thread Status:
Not open for further replies.