Sandboxie + SuRun = Problems plz help

Hello everyone,

I cannot run any Sandboxed programs with admin
priviliges even after adding SuRun in Sandboxie.

The same programs run with admin privileges if they
are NOT configured to run in Sandboxie.

I dont wanna run all the programs in admin priviliges all the
time. Its just for eg. if I want to update Firefox

Please help

 

I have the same problem bro!

 

@exus,

I've looked for ways to acheive this in the XP vm, even adding the sandboxie directory to be elevated in Surun, but came up empty handed

 

maybe someone can report it to tzuk

 

This is not new. SuRun, while being a great tool, fails when it comes to certain things. In the past, I had issues with SpeedFan, RivaTuner and Unlocker. I would imagine Sandboxie is similar. I place more emphasis on the tools I use daily than I do security, because I don't really have a security issue. Others, they might place different emphasis.

I fiddled with SuRun for a good bit and did come up with ways to work around it, but none of them satisified me, so I quit using it on my systems.

Sul.

 

yea I ditched SuRun.

I was hoping Powerbroker Desktop will work with Sandboxie but Sandboxie stops working after Powerbroker is installed.

 

So is there a better alternative to SuRun?? or do you think the default "Run As" (Win XP SP3 + Fully updated) with all the updated third party applications is more than enough and very less likely to create problems??

 

You always weight security against convenience.

As a user, you must have admin rights for admin functions. Historically, one would log out of user, and log in as admin, perform the duties, then log back in as user.

RunAs is designed to allow the user to stay logged in, and run a process as an admin. When the process closes, so does the admin access it had, and back to user land.

SuRun attempts to create convenience, just like UAC does. RunAs is somewhat limited, whereas SuRun/UAC both offer features that make it easy to elevate to admin. SuRun goes beyond UAC (or rather, UAC did not come up to SuRun's feature set) with many features, probably the most notable being it can remember your preferences and as it says "automagically" elevate a process.

There is nothing really quite like SuRun, especially on XP. UAC I suppose is the next best thing in terms of convenience and ease of use. One thing that always bothered me about SuRun was that IF you had it auto-elevate something, and that something ever got compromised, it would then auto-elevate with root and that would not be a good thing. The odds are likely against it, it was just something that always bothered me.

There are many RunAs tools available. The native RunAs obviously works fine, and the 3rd party ones I have tried never caused issues. They are much more direct than what SuRun does by creating the SuRunners group and such. On most machines none of them will cause issues, of course there is always the chance.

If you are handy with scripting and you perform the same tasks over and over, there is nothing preventing you from creating your own RunAs scripts, which can be done in multiple script languages. Just as an idea, you could have a bunch of special scripts that start certain programs as admin. This way it is semi-convenient and fairly secure, as a malware/virii would have to know of your scripts to use them against you, which is very unlikely to ever happen.

SuRun and other methods though, again, bring you convenience of running things as admin without the preparation of scripting - much more flexible.

If I were you, and I could be a USER most of the time, then I would take a close look at what I really need to elevate. Determine if it is a certain set of tools or activities that you do, and then decide if you could just script them or use one of the RunAs tools easily. Or you may find you never really know what you need to elevate. In this case, you have to decide, do you want the convenience of a SuRun type approach, or can you live with RunAs approach.

I hate both approaches myself, but only because I am constantly doing something that requires admin. The only things I do that don't are play games sometimes, watch a movie or browse the web doing research. Just about anything else I do on my machine is pretty geeky, messing with stuff that needs admin. You must find out what you do, and make your own concessions that make the most sense to you.

I cannot think of a replacement for SuRun on XP. There are many RunAs tools though. I don't know if any of them are really something you need to worry about creating problems. As I said, most of what you need to worry about is how inconvenienced you want to be by using RunAs methods.

Sul.

 

I fully agree with Sul. This has always bothered me about SuRun too and I noticed the same problem you are having with it on my Windows XP machine exus69.

If you ever have anything automatically accept something for you there is always risk of it getting comprised without you even knowing about it.

 

"Automagically" elevate is just an option. you're not forced to use it. You can manually elevate the processes you want - when you want - without having to answer a prompt or provide credentials.

 

That is very true. I'm not nagging at SuRun, I think it is a great tool for the right job. Without "automagically" elevating a process, it still gives many features of convenience that RunAs does not offer, even if you must input credentials for everything.

Sul.

 

I sure am glad my car doesnt require SuRun and reduced admin rights to drive.

 

Too good Sul, that was a thorough explanation Thanks to you and all the others for reading and giving their inputs.

 

I'm lazy

and I am still waiting for tzuk to fix the problem with PowerBroker Desktop its a convenience tool like SuRun.

 

No worries Sul, not blaming you either I just wanted to set the record straight for anyone who thought it worked only the automagic way.

 

There's one scenario where SuRun can fail and that is if you give your laptop to someone say for eg. for some hours or a day or so. In that case, the user can install software even without knowing the administrator password. He would of course know the password of the LUA which he has logged in with. What say?

 

I haven't used SuRun lately but I think, if you check in the settings under "surunners group" you can:

• uncheck "the user can change surun settings"

• check "users can only run predefined..."

Now users cannot run as admin unless they change the above, which requires the admin pwd.

 

That's correct.

 

I have been using SuRun on my Windows XP systems and just started playing with Sandboxie (got the full version with the 50% discount). I was also having problems starting arbitrary programs sandboxed (e.g. right-click on a pdf and select "Run Sandboxed") because SuRun would try to run inside the sandbox.

I have stumbled upon what appears to be a solution to that problem: in the SuRun settings, go to the "Execution Hooks" tab and click the "Blacklist" button, then add the path to "Sandboxie\Start.exe" to the blacklist.

I am now able to run arbitrary programs in the sandbox without SuRun trying to run in the sandbox as well. Perhaps this will help other people trying to use SuRun and sandboxie...

 

@peter,

nice find! Please let us know of any issues.

 

That is correct. When you got no wish to have SuRun interception certain processes, you should blacklist them.

I learnt quite a lot when reading the translation file.