Symlink a sandboxed Firefox profile - no write access

[pladdis]

Hello,

so the situation is the following:
- W7x64, Sandboxie 3.76 (64bit)
- Sandbox main folder on F:\
- Sandboxed firefox profile folder somewhere in this folder on f:\...\appdata\mozilla\...

Now I do want to have this firefox profile on another drive, my SSD C:\ but not the rest of the sandbox.
So my idea was to simply symlink this profile folder to c:\. This symlink works perfectly fine when accessed from outside the sandbox, but when for example I use the sandboxed Explorer I can view the folder and all the symlinked contents (also open files) but I cannot get write access to it.
I pretty much allowed everyone with NTFS rights to the c:\symlinkedFFprofile\.
So did I forgot adding some NTFS rights or is this an issue with sandboxie protection system?

Is there another way to do what I want (the folder redirection has to go to some specific folder on C:\ not the standard in \users\appdata\...) ?
Thank you

[BUCKAROO]

Seems Sandboxie doesn't like symbolic links to remote volumes.
Find a way to make your F: mount behave like a local volume...
(Keep profile in a VirtualHD file on F: and mount new letter.)

[Guest10]

If I understand correctly, you have multiple Firefox profiles and want to be able to specify which one is used when you run Firefox.
A shortcut to the Firefox program can specify which profile to use by adding that information to the end of the "Target" box, in the shortcut.

For example, the Fx profile that I've named as "Secure" will be used when I use a shortcut to run Fx sandboxed, and has this Target line (the profile's name must be listed inside of quotes):

"C:\Program Files\Sandboxie\Start.exe" /box:SecureBox "C:\Program Files\Mozilla Firefox\firefox.exe" -no-remote -P "Secure"

(That line also specifies to use the sandbox that I have created, called SecureBox)

The profile's name must be listed in the Fx file "profiles.ini" in order to use the -P "Secure" method of specifying which profile to use. Otherwise, you must list entire path to the profile folder at the end of the line:
-profile "C:\path\to\profile folder"

http://kb.mozillazine.org/Command_line_arguments

[pladdis]

If I understand correctly, you have multiple Firefox profiles and want to be able to specify which one is used when you run Firefox.

No.
I want this: "Now I do want to have this firefox profile on another drive, my SSD C:\ but not the rest of the sandbox."
I need only this one folder to be on another drive.

[Guest10]

So use the Profile Manager for Firefox to create a profile on C: drive, and then do as I suggested above.
Just be aware that using the Profile Manager to create a new profile will cause that new profile to be selected as the one that will be used by default. To select a different profile as your default profile, you must run Profile Manager again, select the profile that you want as your default profile, and then Start Firefox from that Profile Manager window.

[pladdis]

My sandbox folder is on F:\Sandbox\\SandboxName\...
When I create a new user profile on "c:\" in that Sandbox it will not be on c:\ but on f:\Sandbox\\SandboxName\drive\C\...
I do not want to have that profile on the real f:\ drive but instead on the real c:\ drive.
I only have one FF profile in the sandbox right now.

[Guest10]

My sandbox folder is on F:\Sandbox\\SandboxName\...
When I create a new user profile on "c:\" in that Sandbox it will not be on c:\ but on f:\Sandbox\\SandboxName\drive\C\...
I do not want to have that profile on the real f:\ drive but instead on the real c:\ drive.

You don't create the new profile in a sandbox. You run the Firefox Profile Manager unsandboxed, and create the profile on the real C: drive.

[pladdis]

And how does that help me?

Then I have a profile on c:\... and as soon as I start this FF sandboxed with this profile and save something like a bookmark it will be written to f:\sandbox\\sandboxname\drive\c\...
So it is on f:\ again.

[BUCKAROO]

Going on this thread of multiple profiles (or even to share one), regards the bookmark thing (not to mention Firefox updates), you would just OpenPipePath.

I gathered from the get go that you want to share the Sandbox profile: (So, like, why create yet another profile?)

But we don't know why you'd want to symlink a new folder on C: with your profile on F: when you could just create a program shortcut (if that's what you want to do, use the thing) there with the -profile "" switch to the Sandbox path like you would have to have done anyway but going off a symlink at the root of C:\ (had Sbie been compatibile with symlinks to remote (network mapped or exotic) volumes).

Otherwise, if a shortcut .lnk is too simple and you're adamant that you want the profile to really reside on C then... I suppose if the filesystem and interface to F: supports symbolic links (check first won't you), you could do somethin' radical and move (cut'n'paste) the profile to somewhere on C: and create a directory symbolic link within the Sandbox (at the now vacant path) and target the moved (pasted) profile on C. Do not execute the MKLINK cmd inside the Sandbox nor from a working directory within its paths. If F: is a networked path, you could conceivably create the symlinkd at the host machine to the imaginary path on C:, symlinks *should* be exposed to clients, junctions are not so much flexible. You'll have to recreate the symlinkd everytime you empty the Sandbox, which is troublesome especially with non-existing paths.

G'luck with that.

[Guest10]

Every instance of Firefox "knows" where its profile folder is located. If it didn't "know", then when it ran it would create a new profile folder and files in the default location.

Therefore, if you tell firefox.exe on a shortcut's command line (using the Target box) which profile you want it to use, and you then select to allow Firefox items out of that sandbox, they will be saved to that location outside of the sandbox. I assume that you want to update items like bookmarks in the profile on C drive.

You could use Sandbox Settings > Resource Access > File Access > Direct Access (assuming that you are using a firefox.exe that is located outside of a sandbox). If firefox.exe was located inside of a sandbox, then Full Access instead of Direct Access would be needed.
Select "firefox.exe" using the "Add Program" button when creating your settings, so that the exclusions you create apply only to Firefox.

You could select the entire profile folder on C drive in the Direct Access setting. Or, select individual files in that manner.

Or, you could just use Configure > Edit Configuration in Sandboxie Control to add specific items like this to the settings for that sandbox:
OpenFilePath=firefox.exe,*\bookmark*
OpenFilePath=firefox.exe,*\places.*
to allow bookmarks and their backups to be saved out of the sandbox to the profile folder that Firefox is using, wherever it is located. Those items would be saved out of the sandbox to the C drive profile folder, if that's the profile that you told it to use.

My 2 most used Firefox profiles use this method, by adding settings like this in a Local Template that "white lists" items that I want to allow Firefox to save outside of the sandbox, and then applying that template to the appropriate sandboxes.
Since I tell Firefox which of those 2 profiles to use, on the shortcut's command line, it knows exactly where the actual profile folder is located. So it will save the items that I white list out of the sandbox, regardless of the actual location of the profile folder - so, I use the same local template to list items to be allowed out of the sandbox, when using either one of those profiles.

[pladdis]

I gathered from the get go that you want to share the Sandbox profile: (So, like, why create yet another profile?)

No, the reason is, that at the moment my Sandbox is on F:\ as intended because of more space, all downloads and stuff should go there, but the profile of FF itself should be on C:\ because this is an encrypted drive, F:\ is not. So I need the FF to run sandboxed but the profile folder to be on the physical C:\ drive and not in the standard F:\Sandbox\... folder.

Otherwise, if a shortcut .lnk is too simple and you're adamant that you want the profile to really reside on C then... I suppose if the filesystem and interface to F: supports symbolic links (check first won't you), you could do somethin' radical and move (cut'n'paste) the profile to somewhere on C: and create a directory symbolic link within the Sandbox (at the now vacant path) and target the moved (pasted) profile on C. Do not execute the MKLINK cmd inside the Sandbox nor from a working directory within its paths.

Yes, this is what I tried - the symlink works perfectly fine outside the sandbox, but sandboxie seem to not like them.

then select to allow Firefox items out of that sandbox [...]
You could use Sandbox Settings > Resource Access > File Access > Direct Access (assuming that you are using a firefox.exe that is located outside of a sandbox). If firefox.exe was located inside of a sandbox, then Full Access instead of Direct Access would be needed.
Select "firefox.exe" using the "Add Program" button when creating your settings, so that the exclusions you create apply only to Firefox.

Ok this was the puzzle piece needed to solve the problem, I will try this.
Thank you