To all Sandboxie fans, please explain

Discussion in 'sandboxing & virtualization' started by Kees1958, Jan 2, 2009.

Thread Status:
Not open for further replies.
  1. Murderlove

    Murderlove Registered Member

    Joined:
    Jul 18, 2008
    Posts:
    99
    Aaah thanks Doodler. I was trying to look for a way to automatically move a file from 1 sandbox to another without the file ever to touch my HDD. Come to think of it, that would be a nice feature. Not really priority but still. I guess for now it has to be done how you described it.
     
  2. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    That's the way I do it too. My download folder is forced into it's own sandbox with no Internet access, blocked from accessing any data files, and the dropped rights option enabled.
    I like the new dropped rights option in Sandboxie. I have it enabled in my browsing box also. If I was to pick up something it is restricted to what it can do even within the sandbox.
     
  3. Murderlove

    Murderlove Registered Member

    Joined:
    Jul 18, 2008
    Posts:
    99
    Wait let me see if I understand what you have written Threedog.

    Let us say that I have 2 sandboxes and a folder on a different HDD where all the downloaded files go into called "downloads". 1 sandbox for Firefox, the other for testing with no internet acces etc. In my Firefox sandbox I have specified the download folder in Quick Recovery. In my testing sandbox I have specified the download folder to run in the testing sandbox under Forced Folder.

    I now download a file, with my Firefox sandbox, to "downloads". Then go to "downloads", open up the file. The file should should run in the testing sandbox right?
     
  4. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    You are right. Where the downloads folder is a forced folder, anything within that folder is also forced to run in the sandbox. I use the default sandbox for browsing and have the other sandbox configured for my downloads folder and testing.
     
  5. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    237
    As described above, part of the process occurs unsandboxed and part occurs sandboxed...correct? In other words, the "Downloads" folder is on the real system, as well as all programs/files downloaded into it. However, when running the executables in the real "Downloads" folder, the programs/files are forced into the test sandbox.
    If my understanding is correct, is there any additional security risk with part of the process occurring unsandboxed?
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Another way is to:

    Have a 'downloads' folder.

    Sandbox 1 - force your browser to run in this Sandbox

    Sandbox 2 - force the 'downloads' folder to run in this Sandbox, with no net access.

    In both box 1 and box 2, allow direct access to this 'downloads' folder. No need to recover, as the files go directly to the real folder 'downloads'.

    Add an SRP rule for the folder 'downloads', and give it the 'Basic User' option (this requires a reg edit to enable). Now, not only is the 'downloads' directory forced to run in Sandbox 2, but also it's contents are started with the 'Basic User' rights.

    More still, add option in your browser to not ask where to download, that all downloads shall go directly to 'downloads'. Simple and convenient.

    Sul.
     
  7. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    That is exactly the method I prefer, and now Sandboxie has a DropRights feature to eliminate this step. :)
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Mitch please explain how you assign these 'lower rights' to a specific (for instance dedicated directory like C:\Downloads or maybe a complete D:\data partition), so saved files outside the sandbox always run in a limited user environment.

    Cheers kees
     
  9. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    All you have to do is set whatever folder you are saving to as a ForceFolder within a given sandbox. This is usually a different sandbox than your browsing sandbox. This new sandbox may have extra settings such as no internet access (unless of course whatever you plan to run needs the net). Now also apply the new DropRights feature of Sandboxie to that new sandbox. Anything that runs from that download folder will run with lower rights. For me it is great with Office files, as I don't like to sandbox office, but any new files I receive will open sandboxed and with lower rights, and the non-sandboxed computer runs as admin. The only thing you need to remember is that if you are evaluating a program and do decide to install it permanantly to the real system, the program will no longer be governed by Sandboxies' DropRights setting, and will now run as whatever that user is set up for.
     
  10. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    This is really the innovated portion of Sullys' post. Although I don't think you need the open file path in box2. I call these 'Wormholes' haha, little satilite folders where you are always going to click 'yes' to a download you initiate anyway. And once whatever it is gets to that download folder, if it turns out to be a surprise baddie it is still set in a sandbox, with no net access, with lower than admin rights ... etc.
     
  11. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Also note that while my sandboxes would have direct access to the 'downloads' folder, and that anything starting in the 'downloads' folder would be 'forced' into a sandbox, the inclusion of SRP 'Basic User' restriction on the 'downloads' folder ensures protection even IF SandboxIE fails to 'force' something. I prefer this to the DropRights setting in SanboxIE, because I believe SRP will be more resistant to failure than SandboxIE might be.

    Sul.
     
  12. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    That's a good point, and with Sandboxies' setting being a new setting is more likely correct. Just myself but I worry more on mixing up Windows itself. Sandboxie telling the folder this and Windows telling the folder that - I like to stay clear of that.
     
  13. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    237
  14. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Perhaps you are missing a portion of a 'Basic User'. Thier rights are to read and execute pretty much anything. However, modify permissions are only granted to a limited number of %profile% directories.

    When you start a program as a 'Basic User', and that program is within a sandbox, the 'Basic User' privelages no longer apply. Because, the directory c:\sandbox is not explicitly restricted. So it is like if you start IE as a 'Basic User', but within the sandbox 'Browsers', then IE performs as if it is an 'Admin'. This is because with a pseudo-virtual OS 'within' the sandbox, the file structure is actually c:\sandbox\windows\system32, and no restrictions apply.

    However, should IE (or any program ran with SRP restrictions) ever break OUT of the browsers sandbox, it is going to inherit the 'Basic User' rights. I don't know, does the DropRights checkbox in SandboxIE mean that SB itself drops it rights, or the program starting in the sandbox drops its rights?

    Sul.
     
  15. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    The programs that run inside that sandbox have the Administrator designation stripped away - if there is one. What you are stating though is actually what I thought. Lets say that you tell Windows that C:\Downloads is to be designated as to Basic User rights. Ok, now if it is set as a ForceFolder and actually runs as C:\sandbox\BlahBlah\Downloads I thought Windows would ignore it (Or maybe not, based on whatever mechanism tzuk is using to create this new location). But in any event, I wasn't sure. But by leaving the DropRights setting up to Sandboxie and keepin it all 'in-house' I at least knew what was happening.
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Windows does not ignore it because it starts in a sandbox. Actually, by enforcing some.exe into sandbox, SB should inherit the rights and privelages of the .exe, whatever they may be. But it is because of where the files exist inside of the sandbox that one does not notice the rights restrictions.

    It is interesting though, and I have not paid attention to it till now, that if you start some.exe as Basic User, forced into sandbox, that within sandbox restriction does not apply. But to be 'safer' in sandbox, using the droprights would apply so that some.exe recieves the same restrictions as if it were not sandboxed. Aka, cannot write to windows for example.

    One feature I like about using SRP restriction is that it is un-noticable within the sandbox. You can install and test or whatever, with assurance that it WILL stay only in the sandbox, because if it escapes sandbox, it has no rights to restricted areas.

    Sul.
     
  17. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Yes, I understand everything you are saying in relation to - let's call it a normal sandbox. But in this situation, you are creating a folder that will reside in Windows. That folder being forced, everything in it will open sandboxed. Like you said, the Basic User setting will have no effect, other than protection in event of a failure by Sandboxie. BTW, That failure would have to be a total failure of the ForceFolder setting and not specific to an individual program located in that folder. If a malware somehow tharted Sandboxie and escaped from the sandbox, it would be escaping from C:\Sandboxie\Downloads which has not been set as a basic user.

    To me, that is a very minimal gain - unless you plan to at times disable sandboxing and use the folder as a normal folder. Then it would realize the Basic User setting you have set.

    Now that, vrs my concern which is this; Let's suppose the folder has been set to Basic User. You open the folder to look at the files. Sandboxie is not in action at this point. There are no ## in the title bar. Windows has tagged the activity as Basic User. Now you move your mouse and open a file and BAM - Sandboxie springs into action and changes the folder to C:\Sandboxie\BlahBlah\downloads and the file opens sandboxed and is not effected by the Basic User setting. haha Exaggerated for effects.

    Now the other way is to set the DropRights in Sandboxie and enjoy the benefits of the limited setting and have Sandboxie handle the rights of the total program (Sandboxie) and also the launched program. Keep in mind this is sorta like a storage ForcedFolder for data and such - not the primary browsing sandbox.
     
  18. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Not fair, I've been using Sandboxie twice as long as you fellas but you both know twice as much about it than I do ! :mad: :D
     
  19. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I am believe that if you set the 'downloads' directory to be restricted to 'Basic User' via SRP, and then start some.exe, some.exe will always inherit restricted rights. Just because some.exe is now forced to open in a sandbox does not drop the rights restrictions.. it only means that within the sandbox it has no restrictions. So, as you show example, if a some.exe thwarted SB and escaped, it would not be escaping from c:\Sandboxie\downloads, as it originated in the real downloads directory, and thus everything it does is restricted. I wonder if SB itself would inherit the restrictions. Or, does the hook in SB 'see' that downloads\some.exe is starting, and before it is assigned rights by the SRP, sandboxie FIRST starts it, thus some.exe inherits Sandboxie's rights.

    Do you know, when does SB take the some.exe and place it in it's c:\sandbox directory? Is it after the thread has started? Or is it before? Hmm.

    I have never tried a test to see, is SB inheriting the 'Basic User' rights itself if some.exe is executed from an SRP'd folder.

    Good thoughts MitchE323.

    Sul.
     
  20. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    You also Sul, the answer to a lot of this is we don't know. I look at these situations like this; Sandboxie was created knowing it would be used within Windows. Windows was not created in any regard to Sandboxie. I gotta go with tzuk. :D
     
  21. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Dont worry at the rate I am losing brain cells. :eek:
     
  22. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Interesting. I made a quick script and compiled it to an .exe that creates a directory and a file in c:\windows and c:\. These are both restricted areas to a 'Basic User'.

    If I run this .exe from the desktop, it does what it is supposed to.
    If I run this .exe from an SRP'd directory, it fails with error not sufficient privelages.
    If I run this .exe from an SRP'd forced folder with DropRights NOT checked, it performs the operations.
    If I run this .exe from an SRP'd forced folder with DropRights CHECKED, it performs the operations.
    If I run this .exe in same sandbox, but not forced folders, with DropRights CHECKED, it still performs the operations.

    Leading to the presumption that, whatever DropRights does, within the sandbox anyway, does not give the same restrictions as an SRP 'Basic User' setting. I wonder if the DropRights affects outside the sandbox, like direct access or something.

    Try it out and see.

    Sul.
     
  23. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Well that makes sense to me as the Sandboxie DropRights setting is not the same as the SRP Basic User. There is no doubt that the SRP setting is the more powerful. Where my confusion is; With a ForceFolder, why use it at all?

    Now, as you explained already, there is the benefit in case of a failure of some kind by Sandboxie. But since we are not counting on failures, with the DropRights setting through Sandboxie at least during the other 99.999% of the time that there is no failure - the user would at least have something that was less than admin. But I agree not as restrictive as the SRP Basic User.

    Now comes the question; "Why not use both?" and it is only there that I stated my misgivings about how those settings may interact during the action. Misgivings and my lack of knowledge as to those particulars, I might add.
     
  24. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Also I am assuming that "performs the operations" means that the directories created
    were sandboxed directories..... I hope. :eek:
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I suppose it is that if SB were ever to become 'neutered', wether by force, corruption or an uninstall, the directory where exists the highest possibility of exposure is ensure to be locked down.

    I think though it is not a question of why to use/not use both. It is a question of just what are the downfalls of doing both. My testing shows that when an SRP'd program starts normally, it is restricted, and anything it does is restricted (child process inherits rights). Say for instance IE was restricted, and you were not using SB. If you then wanted to install maybe adobe flash, you could not because of the SRP restricitons to a basic user, who has no write/modify rights in certain directores/regkeys. So you would have to make an exception. Not hard to do really, but still.

    Now one of my favorite things about sandboxie is that if IE is started SRP'd, and I am in a sandbox, I am no longer hindered by such issues, as the sandbox directory is not restricted, even though it is writing to a 'windows' or 'program files' folder, in a round-about way. So I can install flash or whatever, as if I were normal admin. Of course all of this stays in the sandbox, but now look at this side (and this being a worst case scenario). If IE is SRP'd, and for some reason SB were to fail, one would be ensured of IE still being obedient to the rights policy set up. If however (again, worst case but still a possible vector) IE were only running in SB, it SB failed, IE would then be free again to roam as it pleased. Not a big deal for an advanced user, but SB is so nice that beginners can use it simply with great success. So I target theories towards that end.

    What I would like to find out (and probably have to go the SB forums soon) is just what does the SB DropRights do? If it does not actually start IE then (in real OS) with reduced rights, what good is it? For now I will assume that this is what it does, as it is the only thing that makes sense. Surely, a feature such as DropRights would not allow a directory and file to be made in the windows folder in the sandbox if is only pseudo dropping rights in the sandbox. That is to say, a very basic restriction of rights should at least be to not mess with the windows folder. And if the DropRights is only applied to the rights of IE within the sandbox environment, I would think it would at least do that.

    I find this very intriguing, and will defiantely see what the purpose is for it.

    Yes, by operations I mean creating the directory/file.

    Sul.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.