NTFS permissions

Ideas for enhancements to the software
ç
Posts: 8
Joined: Sat May 31, 2008 7:54 pm

NTFS permissions

Post by ç » Wed Jun 18, 2008 10:32 am

I noticed that every file or folder created by Sandboxie on a NTFS volume has Full Control to the Everyone group. This sounds like a security issue for me, as anybody can read/write sandboxed content created by other user. I know that the sandboxes are supposed to be able to read each other's content, but I think there's no need to let all files world-writable.

Wouldn't it be better if we could choose the NTFS permissions applied to the sandboxes or the container folder? (without breaking compatibility with FAT units, of course) Say, adding a system-wide option to set the permissions applied to the container folder, and a per-user option to set the permissions applied to all sandboxes belonging to that user.

Setting the permissions manually does seem to work, but every new file created doesn't inherit the permissions.
Last edited by ç on Sat Dec 13, 2008 9:08 pm, edited 1 time in total.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Thu Jun 19, 2008 8:47 am

The rationale, even if you find it meaningless for your use case, is to make it easy for many user accounts to share the same sandbox, and to make it as easy as possible to move the contents of a sandbox across computers.

What if you set permissions on the folder above the sandboxes? Your sandboxes should be within a C:\Sandbox\user folder, so you can try to set permission on that folder.

If you think that could be useful, consider that you may also need to strip the "Bypass traverse checking" privilege from user accounts in your computer.
tzuk

rotbart
Posts: 2
Joined: Sun May 06, 2012 7:09 pm

Post by rotbart » Sun May 06, 2012 7:17 pm

I noticed that every file or folder created by Sandboxie on a NTFS volume has Full Control to the Everyone group. This sounds like a security issue for me, as anybody can read/write sandboxed content created by other user. I know that the sandboxes are supposed to be able to read each other's content, but I think there's no need to let all files world-writable.

Wouldn't it be better if we could choose the NTFS permissions applied to the sandboxes or the container folder? (without breaking compatibility with FAT units, of course) Say, adding a system-wide option to set the permissions applied to the container folder, and a per-user option to set the permissions applied to all sandboxes belonging to that user.

Setting the permissions manually does seem to work, but every new file created doesn't inherit the permissions.
I totally agree with you. On a multi user system the default permissions of the Sandbox folder are unacceptable.
The rationale, even if you find it meaningless for your use case, is to make it easy for many user accounts to share the same sandbox, and to make it as easy as possible to move the contents of a sandbox across computers.
Why should different users share the same sandbox? What's the benefit?

Or do you refer to the "Sandbox" folder (i.e. C:\Sandbox). If that is the case, I have to disagree with you. Because this is not about the permissions of the C:\Sandbox folder, but rather about the permissions of the C:\Sandbox\<User> folders.

For example, the folder C:\Sandbox\rotbart should be readable/writable only by the user rotbart. However, at the moment every user of the system can read all the files in the sandboxes of all other users. This is a serious breach of privacy. :oops:

Best regards,
rotbart

Stephan

Post by Stephan » Sun Dec 02, 2012 1:17 pm

rotbart wrote:
I noticed that every file or folder created by Sandboxie on a NTFS volume has Full Control to the Everyone group. This sounds like a security issue for me, as anybody can read/write sandboxed content created by other user. I know that the sandboxes are supposed to be able to read each other's content, but I think there's no need to let all files world-writable.

Wouldn't it be better if we could choose the NTFS permissions applied to the sandboxes or the container folder? (without breaking compatibility with FAT units, of course) Say, adding a system-wide option to set the permissions applied to the container folder, and a per-user option to set the permissions applied to all sandboxes belonging to that user.

Setting the permissions manually does seem to work, but every new file created doesn't inherit the permissions.
I totally agree with you. On a multi user system the default permissions of the Sandbox folder are unacceptable.
The rationale, even if you find it meaningless for your use case, is to make it easy for many user accounts to share the same sandbox, and to make it as easy as possible to move the contents of a sandbox across computers.
Why should different users share the same sandbox? What's the benefit?

Or do you refer to the "Sandbox" folder (i.e. C:\Sandbox). If that is the case, I have to disagree with you. Because this is not about the permissions of the C:\Sandbox folder, but rather about the permissions of the C:\Sandbox\<User> folders.

For example, the folder C:\Sandbox\rotbart should be readable/writable only by the user rotbart. However, at the moment every user of the system can read all the files in the sandboxes of all other users. This is a serious breach of privacy. :oops:

Best regards,
rotbart
I support this 100%. Why should other people be able to open my sandbox by default?

rotbart
Posts: 2
Joined: Sun May 06, 2012 7:09 pm

Post by rotbart » Sat Dec 08, 2012 12:53 pm

Actually, this should not be in Feature Requests. It poses a serious vulnerability on multi-user systems. Anybody can see this.

fanish

Post by fanish » Sun Dec 09, 2012 6:20 am

rotbart wrote:Actually, this should not be in Feature Requests. It poses a serious vulnerability on multi-user systems. Anybody can see this.
I agree with what has been mentioned in this thread. I'm the only user of this system, but many people share the same system, using different user accounts, and therefore each user should have his/her own sandbox container folder, thus retaining privacy.

I hope this is taken care of as soon as possible.

fanish

Post by fanish » Sun Dec 09, 2012 6:22 am

fanish wrote:
rotbart wrote:Actually, this should not be in Feature Requests. It poses a serious vulnerability on multi-user systems. Anybody can see this.
I agree with what has been mentioned in this thread. I'm the only user of this system, but many people share the same system, using different user accounts, and therefore each user should have his/her own sandbox container folder, thus retaining privacy.

I hope this is taken care of as soon as possible.
What I meant with with "each user should have his/her own sandbox container folder", is that, it work just fine if each user's sandbox container was created in the user profile folder instead of C:\.

Guest10
Posts: 5124
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Post by Guest10 » Sun Dec 09, 2012 11:16 am

There was a time, years ago, when the "Sandbox" folder was located at:
%AppData%\Sandbox

But it sometimes led to some very long paths to files in the sandbox, especially on XP:
Example:
C:\Documents and Settings\Paul\Application Data\Sandbox\DefaultBox\user\current\Mozilla\Firefox\Profiles\xxxxxxxx.Default\bookmarkbackups\bookmarks-2012-12-09.json

Occasionally the paths to files in the sandbox were much longer than that, if a program made use of many sub-folders.
It was enough to sometimes give Windows a problem, because those programs didn't anticipate that Sandboxie would add additional folders to the path to its files, so the "Sandbox" folder was moved to C:\Sandbox to shorten the path a little.

That's the default location for the "Sandbox" folder now, but anyone who wants to can move their sandboxes underneath the users' %AppData% folder by using "Set Container Folder" under the Sandbox menu:
%AppData%\Sandbox\%Sandbox%
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007

fanish

Post by fanish » Mon Dec 10, 2012 10:21 am

Guest10 wrote:There was a time, years ago, when the "Sandbox" folder was located at:
%AppData%\Sandbox

But it sometimes led to some very long paths to files in the sandbox, especially on XP:
Example:
C:\Documents and Settings\Paul\Application Data\Sandbox\DefaultBox\user\current\Mozilla\Firefox\Profiles\xxxxxxxx.Default\bookmarkbackups\bookmarks-2012-12-09.json

Occasionally the paths to files in the sandbox were much longer than that, if a program made use of many sub-folders.
It was enough to sometimes give Windows a problem, because those programs didn't anticipate that Sandboxie would add additional folders to the path to its files, so the "Sandbox" folder was moved to C:\Sandbox to shorten the path a little.

That's the default location for the "Sandbox" folder now, but anyone who wants to can move their sandboxes underneath the users' %AppData% folder by using "Set Container Folder" under the Sandbox menu:
%AppData%\Sandbox\%Sandbox%
Now that you mention it, it actually makes sense to be placed at C:\Sandbox. So, like user rotbart, it would be best that each user sandbox is only available to the user, and also to the administrator, of course.

It would similar to what happens in C:\Program Files (or another place). If the administrator wants, he can restrict ABC user from accessing a folder XYZ. Sandboxie could do the same to each user sandbox. Only the user and the administrator would be able to access it.

:)

slbox
Posts: 17
Joined: Thu Dec 27, 2012 2:42 pm

Post by slbox » Sun Dec 30, 2012 3:50 pm

Thanks for pointing out this thread, Guest10.
Guest10 wrote:There was a time, years ago, when the "Sandbox" folder was located at:
%AppData%\Sandbox

But it sometimes led to some very long paths to files in the sandbox, especially on XP:
Example:
C:\Documents and Settings\Paul\Application Data\Sandbox\DefaultBox\user\current\Mozilla\Firefox\Profiles\xxxxxxxx.Default\bookmarkbackups\bookmarks-2012-12-09.json

Occasionally the paths to files in the sandbox were much longer than that, if a program made use of many sub-folders.
It was enough to sometimes give Windows a problem, because those programs didn't anticipate that Sandboxie would add additional folders to the path to its files, so the "Sandbox" folder was moved to C:\Sandbox to shorten the path a little.
Well I guess on Windows 7, it would be C:\Users\username\AppData\Roaming\SandBox\DefaultBox\... versus C:\Sandbox\username\DefaultBox\... So it saves about 20 characters in the path to keep it in C:\Sandbox. But still there is the possibility of paths that are too long even if you keep it in C:\Sandbox, right?
Guest10 wrote: That's the default location for the "Sandbox" folder now, but anyone who wants to can move their sandboxes underneath the users' %AppData% folder by using "Set Container Folder" under the Sandbox menu:
%AppData%\Sandbox\%Sandbox%
Thanks, I will look into that. The other possibility is to just change permissions on the C:\Sandbox\username directories.

slbox
Posts: 17
Joined: Thu Dec 27, 2012 2:42 pm

Post by slbox » Sun Jan 06, 2013 10:41 pm

tzuk wrote:What if you set permissions on the folder above the sandboxes? Your sandboxes should be within a C:\Sandbox\user folder, so you can try to set permission on that folder.

If you think that could be useful, consider that you may also need to strip the "Bypass traverse checking" privilege from user accounts in your computer.
I have changed the permissions on the C:\Sandbox\<username> folders, and can confirm that you would need to remove the "Bypass traverse checking" privilege in order to make it 100% secure. My limited-user account is not able to cd into C:\Sandbox\Administrator, but is able to cd into C:\Sandbox\Administrator\DefaultBox from the command line. That's not good.

From what I've read about the "Bypass traverse checking" privilege, it's probably not a good idea to remove it. Microsoft says on this page http://technet.microsoft.com/en-us/libr ... spx#BKMK_9 that many applications were designed under the assumption that users would have that privilege, so if you remove it, then applications may break. Also I've read that removing the privilege will decrease performance because the system needs to check the permissions of all the directories along a path.

Is there any reason why the C:\Sandbox\<username>\<sandbox name> folders need to have the Allow Full Control to Authenticated Users/Everyone permissions directly defined on them? Can you make those sandbox folders just inherit the permissions of C:\Sandbox\<username> (which I believe already default to allowing Full Control to Authenticated Users/Everyone), that way people like me can change the permissions on C:\Sandbox\<username> and everything underneath will just inherit those permissions and it will be fully secure?

Username

Post by Username » Thu Jan 17, 2013 2:15 pm

Ronen, why don't you let the people go?

I mean if a person is able to use your PC then what you could mind against it, pals?
If you were clever enough to use a simple login or even autologin then what it has to do with the SBIE, I wonder? I'll tell you what, the software is for virtual machine environment separation only, not for :oops:
Should you really like some extra-secure-secure security then consider using efs/ciphering, locking or an extra restricted partition, providing you have the rights.

Sorry guys, but you are not talking sense.


On the other hand, instead of bushing around in vain, perhaps it might be handy to have some keyfile, say on the flashdrive, without which users can't run/delete/ configure the SBIE...

Even more loud cries and moans from those who 'purely by chance' lost the file, yep?

fanish

Post by fanish » Mon Jan 21, 2013 10:07 am

Username wrote:Ronen, why don't you let the people go?

I mean if a person is able to use your PC then what you could mind against it, pals?
If you were clever enough to use a simple login or even autologin then what it has to do with the SBIE, I wonder? I'll tell you what, the software is for virtual machine environment separation only, not for :oops:
Should you really like some extra-secure-secure security then consider using efs/ciphering, locking or an extra restricted partition, providing you have the rights.

Sorry guys, but you are not talking sense.


On the other hand, instead of bushing around in vain, perhaps it might be handy to have some keyfile, say on the flashdrive, without which users can't run/delete/ configure the SBIE...

Even more loud cries and moans from those who 'purely by chance' lost the file, yep?
I think you're forgetting about one important aspect:

Not everyone owns their own computer. There are millions of children whose computers are property of their parents, and the parents control the use of the computer. That includes not letting brother A access sister B user account data. So, as a parent I would like to retain child A privacy from child B and so on and so forth.

Please, let's not discuss about parental control, because that's another topic and well taken care of in this house. I'm only talking about privacy. Child A has no business knowing what Child B is doing... only the parents have to know what happens under the different children user accounts.

It's just my opinion. But, I don't believe anyone should have to lose their privacy due to security.

Sputnik

Post by Sputnik » Mon Jan 21, 2013 4:42 pm

Username wrote:Ronen, why don't you let the people go?

I mean if a person is able to use your PC then what you could mind against it, pals?
If you were clever enough to use a simple login or even autologin then what it has to do with the SBIE, I wonder? I'll tell you what, the software is for virtual machine environment separation only, not for :oops:
Should you really like some extra-secure-secure security then consider using efs/ciphering, locking or an extra restricted partition, providing you have the rights.

Sorry guys, but you are not talking sense.


On the other hand, instead of bushing around in vain, perhaps it might be handy to have some keyfile, say on the flashdrive, without which users can't run/delete/ configure the SBIE...

Even more loud cries and moans from those who 'purely by chance' lost the file, yep?
So if I download some horse (censored) to my computer and it sits there in Sandboxie I should have no privacy whatsoever just because I get turned on by something weird and I happen to have siblings, that's what you are saying?

HP was just an example BTW.

Guestd

Post by Guestd » Fri Mar 29, 2013 3:02 pm

I'd like to ask if one were to change the permissions in C:\Sandbox\username, what exactly would need to be done, in order to keep things secure/manageable?

By default the allowed groups are Authenticated Users and Everyone, and they all have full access, including to C:\Sandbox.

I was wondering if it would be a safe best to mimic the C:\Users folder permissions into C:\Sandbox, meaning that now Everyone, SYSTEM, Administrators and Users groups have access to C:\Sandbox. Then, for each C:\Sandbox\<user_account_name>, we would then mimic the permissions for the user profile folders inside of C:\Users? Meaning that for each user sandbox folder, we'd have the permissions for SYSTEM, Administrators and User.account. With the exact permissions, of course as we have in both C:\Users and C:\Users\User.account.

By doing this, then User.A (and the administrator) would access C:\Sandbox\UserA_Sandbox, but User.B would not be able to access it, the same way it wouldn't be able to access User.B's user profile folder, and vice-versa.

What do you think? And, would a new Sandboxie install (an upgrade) restore the permissions back to what they were? (I suppose it would, not sure.)


Thanks

Locked

Who is online

Users browsing this forum: No registered users and 0 guests