Sandboxie Support

I realize that Drop Rights is probably on it's way out, but in the meantime 4.01.09 won't work for me if the configuration file contains a "DropAdminRights=y" setting (at least on XP).

2013-05-25 14:39:46 SBIE2337 Failed to start program: [33 / 5]
2013-05-25 14:39:46 SBIE2204 Cannot start sandboxed service RpcSs (5)

Turn off Drop Rights (UNcheck it) at:
Sandbox Settings > Restrictions > Drop Rights

Works checked or unchecked now on Windows7 x64.
Probably an XP issue.

Sorry! I don't know why I keep breaking the Drop Rights feature for the past couple of updates. Version 4.01.10 should fix this problem.

tzuk wrote:Sorry! I don't know why I keep breaking the Drop Rights feature for the past couple of updates. Version 4.01.10 should fix this problem.

10 is OK.
TH.

Thanks, everything seems be ok, even with drop rights enable.

Thanks

tzuk, as a result of checking stuff on the laptop (haven't in awhile, it still had .07), I'm now seeing SBIE2204 Cannot start sandboxed service RpcSs for the first time with .11 (with Drop Rights, otherwise default sandbox). Except the error code is 1309 (ERROR_NO_IMPERSONATION_TOKEN?).

Can't reproduce on main system. Will try to check back with previous versions (.08-.10). Can't think of anything else there, except it hasn't had any Windows updates since Feb. install...

Guest10 wrote:I realize that Drop Rights is probably on it's way out

Why do you say that...?

OK, it looks like .09, .10, and .11 are the same on the laptop -- just that RpcSs message (1309), not what Guest10 posted. (I haven't used .09 or .10 on main system.)

Yeah, the laptop had .07 on it before today, and that was fine. .08 broke with the same RpcSs message, with an additional SBIE2321 Cannot manage device map: [C0000022 / 88] when using Run Sandboxed.

All fine without Drop Rights.


And if there was a problem with Drop Rights on XP in .08 (or any version) I probably wouldn't notice on the main system, since all my "entry point" programs have rights dropped with SRP before forced sandboxing. I simply leave Drop Rights enabled "just in case" or for other occasional stuff...

No need to disable Drop rights in any of the sandboxes where I have it enabled while using .11 in XP.

Bo

Just found it! Same thing was happening on fresh VirtualBox install, even after I applied latest updates (yet I can't reproduce on main system). It was pretty well untouched I figured, except checking over my stuff again quickly, I saw one of the things I DO change initially, just until after I'm done installing everything on a new install:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\nodefaultadminowner = 0 (instead of default 1)

So if owner of stuff (objects) tries to be Admin, Sandboxie fails since .08 with Drop Rights. You probably might want to fix this, since it IS a real, legitimate thing people can set (it's a Group Policy option, I believe).


Extra info (unrelated to Sandboxie): I was going to use that setting full-time back when I first discovered dropping rights (before Sandboxie ), but found that it caused some really, really random/weird things to happen for IE 6 with dropped rights. And on the laptop, it nearly killed me trying to figure out why the Dell wireless thing wouldn't work (running full Admin!), until I discovered it was failing because nodefaultadminowner=0, but ONLY because I hadn't yet set a password for the account!? Strange, strange stuff. I only use it now, temporarily, to make sure installed system stuff/programs is not owned by the user (to protect with dropped rights).

Alright, this should be taken care of in version 4.01.13. There was something similar for XP in version 4.01.09 but that was causing problem, and I had to undo that change. Hopefully I won't have to undo this change as well.

Yep, looked fine during my quick check on the laptop system that still has nodefaultadminowner=0

I went from .11 to .13 update. Don't know if this is related to the dropped rights but in .13 with Firefox, I get the following....

SBIE2214 Request to start service 'wuauserv' was denied due to dropped rights
SBIE2219 Request was issued by program SandboxieDcomLaunch.exe [Firefox]
SBIE2220 To permit use of Administrator privileges, please double-click on this message line
SBIE2214 Request to start service 'bits' was denied due to dropped rights
SBIE2219 Request was issued by program SandboxieDcomLaunch.exe [Firefox]
SBIE2220 To permit use of Administrator privileges, please double-click on this message line
SBIE2214 Request to start service 'wuauserv' was denied due to dropped rights
SBIE2219 Request was issued by program SandboxieDcomLaunch.exe [Firefox]
SBIE2220 To permit use of Administrator privileges, please double-click on this message line

I don't get why wuauserv (a windows update service) is trying to run inside Firefox.

dja2k

No, these errors were always there don't have to do with recent changes to Drop Rights.
You can't run services in the sandbox when Drop Rights is enabled.

Maybe you're trying to run some Microsoft software which is trying to check
for updates through the Automatic Updates service (wuauserv) ?
Try to delete the contents of your sandbox.

I have always had the "delete function" enabled. I had never seen those before and I haven't change my configuration since v3.76 or before. Drop Rights has always been enabled in prior versions since it became available. I did notice that "silverlight configuration" tried to run so I allowed as I am running with restrictions. Still don't understand why a Windows Update service is trying to run inside my Firefox sandbox.

dja2k