Discussion in 'Sandboxie (SBIE Open Source) Plus & Classic' started by bo elam, Apr 22, 2020.
Sorry, no idea. Never used ..box --no-sandbox.. before 86.x.
FWIW ~ @zmechys
IIRC the order of the arguments does not mater unless thy have a paramater following them
Me too, thanks everybody. Brave was unusable before I changed the target entry.
You were able to go around that "annoying" Sandboxie glitch.
Does it mean - You are a Sandboxie pro?
Does it mean - You know why it happened after the Chrome update?
Usually, I try to open my browsers not in Sandboxie in order to update extentions/add-ons, but...
After following your instructions on "fixing" a glitch of Sandboxed Chrome, I could not open Chrome without Sandboxie.
Any ways to go around it?
Somehow it happened, that, currently, you are one of very few Sandboxie developers.
I wonder if after providing all that Sandboxie coding to the whole world, Sandboxie could become vulnerable?
Interesting, earlier in this thread I also mentioned to try to disable Vivaldi's internal sandbox, but can you only do it via this command? Isn't it possible to simply add the "no sandbox" prefix to the Vivaldi shortcut? Of course Vivaldi should be forced to run sandboxed.
Aren't you a Win 8.1 user? Then perhaps you can test if Vivaldi 3.4 works correctly on your system WITHOUT having to disable Vivaldi's sandbox. If so, you don't need this workaround.
OK I see, I thought you still had an older machine with Win 8.1. I will soon buy a new laptop with Win 10, but I will also keep using my desktop with Win 8.1 installed.
Perhaps you can also test it on Win 8.1, because I'm not having these problems. So Chromium 86 combined with Sandboxie seems to behave differently on Win 10.
There is no real security through obscurity.
Regarding "annoying" Sandboxie glitch > Thanks @g17 > #505
Regarding "could not open Chrome without Sandboxie" > I have shortcuts for browsers w/wo --no-sandbox.
Target: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
Target: "C:\Program Files\Sandboxie\Start.exe" /box:Edge msedge.exe --no-sandbox --test-type"
I run discrete browser sandboxes.
Since 86.x. I created shortcuts for each browser.
Note: Shortcuts may not be your preference.
Prior to 86.x. I used Forced n' Disable Forced for browsers.
I'd prefer to go back to Forced n' Disable Forced for browsers.
I think I found a good way to fix the chrome issue, please try out my latest build: https://www.wilderssecurity.com/threads/sandboxie-plus-sbie-fork.427755/page-24#post-2955461
Regarding latest Plus build > #581
You are insane people. Using --no-sandbox flag is a terrible idea that weakens your security tremendously. Vulnerabilities that allow sandbox escaping from Chrome's renderers are extremely rare. I cannot say the same about Sandboxie, especially about Tom's branch.
Don't get me wrong: Sandboxie is still a great piece of software, but it is a general-purpose sandbox. All Chromium-based browsers have their special-purpose sandbox that is significantly more restrictive than Sandboxie can ever be. They have complete control over the code that runs in the sandbox and, therefore, can apply the Least Privileges Security to the fullest. Sandboxie, on the other hand, must maintain compatibility with tons of third-party programs that break when you put them into a too restricted environment.
I encourage everyone to use David's fork since it is more secure and doesn't have an incompatibility with most web-browsers. I know that it has an inconvenience with the signing certificate and, therefore, false-positives, but if you can't configure your antivirus to make an exception - find another one that does not fool you by ignoring your preferences.
Tom, Bo, you should really do something to keep up. I will need to publish the details about the CVEs I requested more than a year ago eventually. David has the security fixes for you; all you need is to release them.
You put this so well and succinctly. I'm just a casual user and upon reading about the "workaround," it was clear: a workaround for a security program with no official remediation in sight (yet), hmmm, not for me. Sandboxie needs to be whole for me. Again, I have to reference stapp who said:
So, watching and waiting for the Plus fork to mature.
Don't you say, really?
Tomorrow first thing in the morning: application for the mental asylum.
Reason? Someone said I'm insane for disabling chromes built-in sandbox.
The plus fork for the time being also provides a legacy installer for the classical sandboxie, no fancy new UI, just all the bug fixes and new features if you use edit the the ini by hand. Nothing but a proper certificate to wait for.
It's all in Tom's hands. There is nothing Bo can do except tell people Tom has not replied to his mails for months.
Bo started this thread writing: "I think this is the right time to create this thread". Sadly he should start thinking when it's the right time to close it if Tom doesn't show up soon.
I don't know if David will be willing to deal with the classical Sandboxie in the future too. But at least at the moment - if I judge the situation correctly - users with a preference for the classical version (like me) do not depend on Tom's return and his further development of (classical) Sandboxie, as David has done this work - and still does it at least for the time being (as he writes himself). (Many thanks, David. )
In other words: At the moment David obviously offers us two models of Sandboxie which are up-to-date: the one designed by himself and the classical one in the way it was announced by Tom. The only problem with David's continuation of the classical Sandboxie is indeed the inconvenience caused by the missing certificate.
Have you heard anything about some users of your Sandboxie versions that were able to by-pass the Driver Signature issues with
Driver Signature Enforcement Overrider?
I don't know what you are talking about. Sandboxie is as restrictive as it can be. If it was more restrictive, most programs wouldn't be able to run sandboxed. And that's not what we want. We want balance between usability and security and to be able to run sandboxed most programs that are popular and widely used. Thats what we always gotten with SBIE.
This, whats better, Chrome's sandbox or Sandboxie has been discussed many times before here. Personally, that discussion bores me. So, I wont get into it. But for what its worth, I wouldn't trade Sandboxie for anything. And, in the case of the Firefox sandbox, I have been disabling it forever. Never had compatibility issues with Sandboxie's sandbox but I been doing it because I think it is likely Sandboxie works better that way. So, disabling the Chrome sandbox doesn't make me blink at all. In fact, doing it is probably better for the proper functioning of Sandboxie.
I trust Bo.
I remember, many years ago, Bo told me about Sandboxie, while we were discussing various Antivirus/Malware products.
And Bo was right.
Except... It is a bad idea.
Do you want me to publicly disclose a complete chain of exploits that allows a sandboxed program started by a user without administrative privileges to escape the sandbox all the way up to NT AUTHORITY\SYSTEM (which is more powerful than administrators)? I would love to. David already fixed them, so everyone can stay safe using his fork.
Bo, you don't need to take my word for it. I sent you two proof-of-concept programs that do precisely what I mentioned. Have fun.
Thank you. As a trial, I've added my Sandbox folder to the BitDefender exception list.
Somehow, I've downloaded that "fancy, new UI" David's Sandboxie.
After rebooting, I could not find ANYWHERE that Sandbox Plus. I was looking and looking for that "fancy" new Sandboxie Plus to no avail.
I know it's me just getting old/older.
After my tremendous failure to find that Sandbox Plus, I've downloaded David's Classic version, and easily installed it.
Just a question.
In order to accelerate David's Sandbox installation, I've added the whole Sandbox folder to my BitDefender exception list.
I think I need to add just one file from it.
I'm a little confused but I think I understand your concern.
Prior to V86 in Chrome, there were no issues. Does this mean the sandbox in Chrome was not functional until v86? Sandboxie certainly has not changed, we know that.
If that's the case, how can disabling it in V86 be any less safe than it was in V85?
I'm not sure anyone knows precisely why the update broke it, I could be wrong.
Absolutely on Windows 8.1 and staying until Microsoft gets a new brain and develops a Windows 11 if they even have the courage to do it.
I will try the version mentioned and see if some improvements come thru or not.
As we know from David's fix, a new flag they started using in version 86 to tighten job-based restrictions broke process creation because it is incompatible with Sandboxie (that uses jobs as well).
I don't think there are any significant architectural differences between 85 and 86 since the code already runs with virtually zero permissions. I suppose these are just cosmetic changes to address potential attack vectors.
You made me realize that I should write a post that explains Sandboxie's architecture. It is an interesting topic that should clarify a lot. Chrome's sandbox already has similar documentation, for example. Sandboxie effectively uses the same security context as they do (because it is as secure as you can get). However, to run third-party programs, Sandboxie includes a huge compatibility layer that introduces more attack surface (since it contains privileged components — a driver and a service). Therefore, Sandboxie cannot provide the same level of security guarantees as Chrome sandbox. We are still talking about a highly isolated environment, so it is a reasonable trade-off for more functionality. That's why you should not use --no-sandbox flag. But Bo is correct; we should not say that one of these sandboxes is better than the other; they have different applications.
Since V86 chrome started to try to add the started worker processes to a job object while creation,
that is what broke the call to CreateProcessAsUserW -> ... -> NtCreateProcess the fix for that was to override an kernel32 api function an just don't do it.
Earlier chrome builds did that step separately and as far as I can tell that just silently failed,
as sandboxie in normal operation makes all processes run within job processes already.
I will continue providing the classical version forever if Tom doesn't return, it is really no afford doing that.
When Tom announced to continue the classical version I just thought no need in providing essentially the same files twice so I said I'll make the Plus only.
But now I'll make booth, no problems there.
That may be remedied in the months to come. I'm looking into options to get that cert through a friends company, that might just work, so stay positive
Separate names with a comma.