Sandboxie Support

Run a program ouside of the sandbox!!

IE: Windows / Microsoft Update or run FF out of the sandbox to update the extensions / themes

This feature shoud override the "forced programs" option...

Both of these functions are available already, but not as specifically named features. Perhaps you know that and are just asking for specific settings focused on these particular actions like updating Windows or adding extensions to Firefox, but both can be done quite easily already from the existing GUI.

In case you're not aware of that, here's how I do both of these. If you already know this, perhaps the info will help someone else.

Windows Update

Just before opening IE and selecting Tools/Windows Update, I open the Sandboxie GUI and select Options/Temporarily Disable Forced Programs. Then I have 10 seconds to start IE. Once IE opens outside the sandbox, I can take as long as needed to do the updates. (The 10 second deadline is built into Sandboxie and only applies to starting a forced program outside the sandbox.)

Update or Add Firefox Bookmarks, Extensions and Themes

I have Firefox as a forced program, but I allow updates transparently by adding the following setting in the Sandboxie config file under [Default Box]:

OpenFilePath=firefox.exe,C:\Program Files\Mozilla Firefox\defaults\profile

That allows any changes I make to my Firefox bookmarks, themes or extensions to be made outside the sandbox.


Hope that helps you or someone else.

SBIE (Happy) User

Nice summary SBIE User, just one small addition:

(The 10 second deadline is built into Sandboxie and only applies to starting a forced program outside the sandbox.)

10 seconds is a built-in default, but it is configurable:

(in Sandboxie.ini)

[GlobalSettings]
...
ForceProcess=...
ForceDisableSeconds=30

You can set any number of seconds.

The ForceDisable period ends as soon as you launch one of the forced processes, or when the configured (or defaulted) number of seconds has elapsed.

Thanks, tzuk. I didn't know about that.

10 seconds is really enough and has never been a problem, but I knowing I have an extra few seconds. I don't like pressure!

SBIE (Happy) User

Is this example given by "SBIE user" safe?

If you look at the File Copy Options, (Configuration / Sandbox settings / Set File Copy Options) there are check boxes which include "Allow Mozilla Firefox full access to profile files, such as bookmarks and extensions (NOT Recommended)". If however you ignore the negative recommendation, it allows access to the full Profiles folder (see the resulting Sandboxie.ini file) . I don't know why this is unsafe - which is why I am asking here. Maybe it's the access to registry keys which is unsafe?

(Actually my folder structure is different - I use XP, maybe "SBIE user" uses a different implementation of Windows?)

The reason I ask is that I want to include parts of the profiles - the passwords and bookmarks. However as bookmarks are implemented as html files is this why this is unsafe?

Lord HiperiX wrote:I don't know why this is unsafe - which is why I am asking here. Maybe it's the access to registry keys which is unsafe?

This is why it's not recommended:

SBIE User wrote:That allows any changes I make to my Firefox bookmarks, themes or extensions to be made outside the sandbox.

(Emphasis mine.) You may want to share just the sandboxed bookmarks with the outside system, but effectively you are sharing the enitre profile folder, including extensions and themes.

If you think that's just fine, ignore my negative recommendation, and Just Do It.

Thanks tzuk for the answer. I have implemented a more restricted access to profiles. i.e. only bookmarks and passwords via adding this to the configuration sandboxie.ini file

OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\xxxxxxx.default\bookmarks.html
OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\xxxxxxx.default\signons.txt
OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\xxxxxxx.default\key3.db

(xxxxxxx is my particular FF profiles folder)

This works fine. I prefer not to allow access to extensions outside the sandbox, not because I know of any particular risk but just to be safe as I don't have an extension which needs this access.