sandboxie v4 out Jan 10, 2013

Discussion in 'sandboxing & virtualization' started by soccerfan, Jan 10, 2013.

Thread Status:
Not open for further replies.
  1. Pete, agree, the Sandboxie ACL discussion in the AppGuard should have been discussed here, as even Tzuk agrees on this, thanks for the link :D

    With apologisies to BarbC ;)
    - windows 7 and Vista https://www.wilderssecurity.com/showpost.php?p=2218170&postcount=2332

    - windows 8 (thx to Shadek) https://www.wilderssecurity.com/showpost.php?p=2218209&postcount=2337

    I would not strip the bypass traverse checking of the user account (e.g. with GPO), this disables the possibility of a user to navigate through a folder with no access rights to a folder with access righs. When using deny "traverse folder/execute file" don't disable this bypass option it will make the Child directory in example below unaccessible with Windows Explorer and most "file open" dialogs.

    Grandparent folder (with access rights)
    Parent folder (without traverse folder/execution rights)
    Child folder (with access rights

    Default situation, when in the grandparent folder, one can click through the Parent Folder to get to the Child folder, with stripped traverse bypass at user rights one cannot click through Parent Folder (guess Microsoft found out afterwards it was not smart to combine the traverse and execute rights, so they came up with a traverse bypass which is now the default)


    Regards Kees
     
    Last edited by a moderator: Apr 23, 2013
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Hello Pete,

    This has been discussed/wanted since mid 2008 over Sandboxie forums. I haven't looked, so not sure if there are any older concerns about it.

    I provided a link before:

    -http://www.sandboxie.com/phpbb/viewtopic.php?t=3492

    There are workarounds, but don't work as expected, especially because whenever one deletes a sandbox, permissions set by the user will be gone. An alternate way would be using an external program to delete contents, but according to my own tests, it doesn't always work as expected, especially with tools like Eraser, mentioned at that same thread as well.

    Any folder created under the supervision of Sandboxie, will inherit permissions set by Sandboxie, not by the user... :ouch:

    The ideal solution would be for Sandboxie's author to address this situation once and for all, IMHO. So that no one has to tweak anything, that won't even work 100%.
     
  3. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Yeah, unfortunately Sandboxie is explicitly setting permissions on each file/folder (I guess you know that), so therefore the "Inherit from parent" thing doesn't apply. :doubt:


    Along with screwing up some other important stuff, so absolutely don't do that (bypass traverse checking priv for user) in a desktop environment.
     
  4. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,438
    Location:
    Milan and Seoul
    Downloaded version 4.01.06 in Windows 8 (64bit). No problems so far.
     
  5. No I am not a Sandboxie user, bummer, now I understand the critism, well in that case I doubting additional advantages of SBIE + Chrome versus UAC plus Chrome sandbox with explicit "deny traverse folder/ execute" of User Data and Download directory, with Emet (exploit code prevention) and ZeroVulnability Browser Edition (payload dropper prevention). SBIE is good, but combined with SBIE running HIGH IL (yes thanks M00NB00D for spoiling that party o_O ) and Individual File/Folder permissions (thanks Dr L.P. for mentioning that one o_O ) you are putting all your money on one horse (although SBIE has proven to be solid and not a gamble/bed in the past).
     
    Last edited by a moderator: Apr 24, 2013
  6. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    I haven't had any desire to do your suggested "Deny execute" ACL trick, since (maybe this wouldn't apply in the sandbox folder, but elsewhere in general) I want to be able to execute stuff myself (XP Admin user)... So my idea/solution (though I haven't "bothered" to set it yet) is to remove Execute permission from CREATOR OWNER. Therefore, running with dropped rights, it's the same as deny execute; but with full admin privs, I can execute as part of the Administrators group. :)

    None of this matters that much, in the sense that anything that drops a file could give itself permissions and/or remove Deny entries as owner. That's why there's also SRP... which could also be bypassed. :argh:

    I'm not sure what that's about? :doubt: I see no High IL Sandboxie processes... Everything looks as it should and I'd expect. :)
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    He made confusion with me mentioning System IL. Not High IL. (They're pratically the same, in the sense that to get System, you need High.)
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You know it's always a pleasure. :D Any time. :thumb: ;)

    OK. I have the paid version, because I do like some functionality it offers, but what do you mean it has proven to be solid? Under which scenarios? I'm afraid (for some reality check) that we're still not in a time and age where Sandboxie is massively used by users to be put to test. Hopefully, it won't come to that either. :D (I do enjoy a bit of security through obscurity.) Accidents do happen, though.
     
  9. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    :) OK, the service processes. They wouldn't (couldn't) be anything other than System, AFAIK. So what's that matter? That's just how supervision is done, stuff running in the sandbox doesn't have "direct access" to them... They just handle (proxy) requests on behalf of sandboxed programs -- differently/more so now in version 4.
     
  10. Since 2010, I ran fresh malware samples on my safe-admin setup (can also install unsing run as), only once gotten into a situation in which setting for my temp folder was changed and I was not able to install anymore from Temp.

    Extra precaution to prevent this from happening again, disabled macro's in Office, installed AppLocker fix and locked Outlook/Chrome through GPO and added ACL's deny traverse folder/execute file.

    So I am quite confident about my setup :cool: even when using SRP
     
  11. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    371
    Location:
    DownUnder
    Tried 4.01.06 in Windows 8 Pro x64bit – but still cannot copy\paste from sandboxed browsers, so have gone back to 3.76.
    Will wait until the stable version is released.
     
  12. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,438
    Location:
    Milan and Seoul
    No problems here on Windows 8 (64bit) (it's not the Pro version though).
     
  13. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    That is very odd. I do not experience that issue any longer, and I have the same OS as you do. It was fixed completely in the .06 release. Works fine in IE10 and Chrome 26. Are you perhaps using Opera?
     
  14. Krysis

    Krysis Registered Member

    Joined:
    Dec 28, 2012
    Posts:
    371
    Location:
    DownUnder
    Using Firefox and Palemoon.
    As mentioned in my post #105 – the copy\paste issue seems to be specific to Apache Open Office (no problems copy\pasting to Wordpad\Notepad, etc within Windows 8 Pro)

    And my situation is a tad complicated - I have Windows 8 Pro installed as a VM in Virtualbox – and Open Office installed in Windows 7 (my host) – so I have a requirement to copy\paste from my sandboxed browsers in Windows 8 to Open Office in Windows 7.

    The only thing that changed with 4.01.06 was that I no longer got the 'Requested Clipboard format is not available' message when trying to copy\paste.
    (it's NOT a Shared Folder issue!)

    Edit
    I failed to read my notes correctly – cannot copy\paste from sandboxed browsers in Windows 8 to anywhere in Windows 7.
     
    Last edited: Apr 27, 2013
  15. Cruise

    Cruise Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    1,232
    Location:
    USA
    I posted this in Sandboxie Forums' Problem Reports section.
    Cruise
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,062
    Location:
    Nicaragua
    Hey Cruise, perhaps (if you haven't tried it) you can get cookies to remain after deleting the sandbox by allowing Direct access to IE cookies instead of adding the IE cookies folder to SBIE's Immediate Recovery list. In Applications>Web browser>Internet explorer, tick to allow direct access to internet explorer cookies.

    Bo
     
  17. Cruise

    Cruise Registered Member

    Joined:
    Jun 10, 2010
    Posts:
    1,232
    Location:
    USA
    Bo,

    Thanks for that tip. I'll try that today and let you know if it solves my problem.

    Cruise

    Update: Bo, your suggested setting resulted in an improvement, but v4.01.xx still has cookie issues. To explain, my home page login is now 'remembered', but my gmail login is not (probably because my gmail cookies are stored elsewhere)!
     
    Last edited: Apr 28, 2013
  18. chris1341

    chris1341 Guest

    .07 has been out since April 29 for those who might have missed it.

    Cheers
     
  19. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    7,157
    Location:
    USA
    Thanks, I did miss it this time. The betas must not check for updates.
     
  20. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    832
    Build .07. I have a small but annoying problem. I've created shortcuts for sandboxing programs via Windows shell integration option, pinned them to the taskbar, the programs open in the sandbox but they open to the far right instead of in place of the pinned icon, i.e:
    Untitled1.png

    It worked correctly with 3.76. Does anyone have the same problem, and how can I make it work, since taskbar space is sparse.
     
  21. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,438
    Location:
    Milan and Seoul
    Thanks.
     
  22. Sportscubs1272

    Sportscubs1272 Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    341
    Is the latest version 4.01.07 closer to release candidate (RC)? I have Windows 8 on my both of my machines. Just wondering if I am still safer using the older version of Sandboxie or should I switch to the beta version?
     
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,062
    Location:
    Nicaragua
    Sportscubs1272, yes, you are safe using V3.76. If V3.76 is working fine for you, then there is no need for you to upgrade to V4.01.07 at this time. A few days ago I read a post by Tzuk in which he said V4 still needs a little work before the stable is released. If you like to try the latest beta, I ll say go ahead, I am using it in my XP and W7 and only have one issue with one program in XP, none in W7.

    Bo
     
  24. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,062
    Location:
    Nicaragua
    V4.01.08 :cool: is out, people that haven't tried V4 and like to try it, can get the installer from here.

    http://www.sandboxie.com/phpbb/viewtopic.php?t=14453

    Installing/uninstalling Sandboxie takes seconds and doesn't break computers. If you decide to try this version and find an issue between SBIE and another program, help Sandboxie by reporting the problem in the SBIE forum.

    Bo
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,869
    Location:
    U.S.A. (South)
    Thanks for the heads up to. 08

    Been finding it a problem in the last beta. 07 where the delete command is not working as expected when issuing delete contents of sandboxes and so have to manually take that task. Otherwise its solid as its always been.

    Regards Easter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.