Drop Rights must be turned off in 4.01.09 (XP)

Listing issues addressed in beta version 4.01
Locked
Guest10
Posts: 5124
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Drop Rights must be turned off in 4.01.09 (XP)

Post by Guest10 » Sat May 25, 2013 3:01 pm

I realize that Drop Rights is probably on it's way out, but in the meantime 4.01.09 won't work for me if the configuration file contains a "DropAdminRights=y" setting (at least on XP).

2013-05-25 14:39:46 SBIE2337 Failed to start program: [33 / 5]
2013-05-25 14:39:46 SBIE2204 Cannot start sandboxed service RpcSs (5)

Turn off Drop Rights (UNcheck it) at:
Sandbox Settings > Restrictions > Drop Rights
Last edited by Guest10 on Sat May 25, 2013 4:16 pm, edited 2 times in total.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007

sam

Post by sam » Sat May 25, 2013 3:19 pm

Works checked or unchecked now on Windows7 x64.
Probably an XP issue.

Sampei Nihira
Posts: 10
Joined: Wed May 22, 2013 12:05 pm

Post by Sampei Nihira » Sat May 25, 2013 3:58 pm

Setting "impossible" to use with XP,work for Tzuk.
釣りキチ三平

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Sun May 26, 2013 3:32 am

Sorry! I don't know why I keep breaking the Drop Rights feature for the past couple of updates. Version 4.01.10 should fix this problem.
tzuk

Sampei Nihira
Posts: 10
Joined: Wed May 22, 2013 12:05 pm

Post by Sampei Nihira » Sun May 26, 2013 4:14 am

tzuk wrote:Sorry! I don't know why I keep breaking the Drop Rights feature for the past couple of updates. Version 4.01.10 should fix this problem.
10 is OK.
TH.
釣りキチ三平

henri
Posts: 35
Joined: Thu Jan 03, 2013 2:51 pm

Post by henri » Sun May 26, 2013 8:47 am

Thanks, everything seems be ok, even with drop rights enable.

Thanks

DR_LaRRY_PEpPeR
Posts: 291
Joined: Wed Jul 04, 2012 6:40 pm
Location: St. Louis area

Post by DR_LaRRY_PEpPeR » Tue May 28, 2013 9:44 am

tzuk, as a result of checking stuff on the laptop (haven't in awhile, it still had .07), I'm now seeing SBIE2204 Cannot start sandboxed service RpcSs for the first time with .11 (with Drop Rights, otherwise default sandbox). Except the error code is 1309 (ERROR_NO_IMPERSONATION_TOKEN?).

Can't reproduce on main system. Will try to check back with previous versions (.08-.10). Can't think of anything else there, except it hasn't had any Windows updates since Feb. install...


Guest10 wrote:I realize that Drop Rights is probably on it's way out
Why do you say that...? :o
XP Home-as-Pro SP3 (Admin) w/ continued updates (Embedded/POSReady 2009)
> Permissions + "2-level" SRP, latest Sandboxie (Pro/registered), EMET 4, no anti-anything (ever)
Did I make tzuk crazed... in his last days? :o

DR_LaRRY_PEpPeR
Posts: 291
Joined: Wed Jul 04, 2012 6:40 pm
Location: St. Louis area

Post by DR_LaRRY_PEpPeR » Tue May 28, 2013 10:42 am

OK, it looks like .09, .10, and .11 are the same on the laptop -- just that RpcSs message (1309), not what Guest10 posted. (I haven't used .09 or .10 on main system.)

Yeah, the laptop had .07 on it before today, and that was fine. .08 broke with the same RpcSs message, with an additional SBIE2321 Cannot manage device map: [C0000022 / 88] when using Run Sandboxed.

All fine without Drop Rights.


And if there was a problem with Drop Rights on XP in .08 (or any version) I probably wouldn't notice on the main system, since all my "entry point" programs have rights dropped with SRP before forced sandboxing. I simply leave Drop Rights enabled "just in case" or for other occasional stuff...

bo.elam
Sandboxie Guru
Sandboxie Guru
Posts: 2809
Joined: Wed Apr 22, 2009 9:17 pm

Post by bo.elam » Tue May 28, 2013 1:43 pm

No need to disable Drop rights in any of the sandboxes where I have it enabled while using .11 in XP.

Bo

DR_LaRRY_PEpPeR
Posts: 291
Joined: Wed Jul 04, 2012 6:40 pm
Location: St. Louis area

Post by DR_LaRRY_PEpPeR » Wed May 29, 2013 10:20 am

Just found it! Same thing was happening on fresh VirtualBox install, even after I applied latest updates (yet I can't reproduce on main system). It was pretty well untouched I figured, except checking over my stuff again quickly, I saw one of the things I DO change initially, just until after I'm done installing everything on a new install:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\nodefaultadminowner = 0 (instead of default 1)

So if owner of stuff (objects) tries to be Admin, Sandboxie fails since .08 with Drop Rights. You probably might want to fix this, since it IS a real, legitimate thing people can set (it's a Group Policy option, I believe).


Extra info (unrelated to Sandboxie): I was going to use that setting full-time back when I first discovered dropping rights (before Sandboxie :)), but found that it caused some really, really random/weird things to happen for IE 6 with dropped rights. And on the laptop, it nearly killed me trying to figure out why the Dell wireless thing wouldn't work (running full Admin!), until I discovered it was failing because nodefaultadminowner=0, but ONLY because I hadn't yet set a password for the account!? Strange, strange stuff. I only use it now, temporarily, to make sure installed system stuff/programs is not owned by the user (to protect with dropped rights).

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Sun Jun 02, 2013 2:32 pm

Alright, this should be taken care of in version 4.01.13. There was something similar for XP in version 4.01.09 but that was causing problem, and I had to undo that change. Hopefully I won't have to undo this change as well.
tzuk

DR_LaRRY_PEpPeR
Posts: 291
Joined: Wed Jul 04, 2012 6:40 pm
Location: St. Louis area

Post by DR_LaRRY_PEpPeR » Tue Jun 04, 2013 7:14 am

Yep, looked fine during my quick check on the laptop system that still has nodefaultadminowner=0 :)

dja2k
Posts: 121
Joined: Wed Sep 12, 2007 1:16 pm

Post by dja2k » Mon Jun 10, 2013 3:51 pm

I went from .11 to .13 update. Don't know if this is related to the dropped rights but in .13 with Firefox, I get the following....

SBIE2214 Request to start service 'wuauserv' was denied due to dropped rights
SBIE2219 Request was issued by program SandboxieDcomLaunch.exe [Firefox]
SBIE2220 To permit use of Administrator privileges, please double-click on this message line
SBIE2214 Request to start service 'bits' was denied due to dropped rights
SBIE2219 Request was issued by program SandboxieDcomLaunch.exe [Firefox]
SBIE2220 To permit use of Administrator privileges, please double-click on this message line
SBIE2214 Request to start service 'wuauserv' was denied due to dropped rights
SBIE2219 Request was issued by program SandboxieDcomLaunch.exe [Firefox]
SBIE2220 To permit use of Administrator privileges, please double-click on this message line

I don't get why wuauserv (a windows update service) is trying to run inside Firefox.

dja2k

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Tue Jun 11, 2013 2:06 am

No, these errors were always there don't have to do with recent changes to Drop Rights.
You can't run services in the sandbox when Drop Rights is enabled.

Maybe you're trying to run some Microsoft software which is trying to check
for updates through the Automatic Updates service (wuauserv) ?
Try to delete the contents of your sandbox.
tzuk

dja2k
Posts: 121
Joined: Wed Sep 12, 2007 1:16 pm

Post by dja2k » Tue Jun 11, 2013 3:03 pm

I have always had the "delete function" enabled. I had never seen those before and I haven't change my configuration since v3.76 or before. Drop Rights has always been enabled in prior versions since it became available. I did notice that "silverlight configuration" tried to run so I allowed as I am running with restrictions. Still don't understand why a Windows Update service is trying to run inside my Firefox sandbox.

dja2k

Locked

Who is online

Users browsing this forum: No registered users and 0 guests