Printing in citrix

Lucus · Post by **Lucus** » Fri Jul 13, 2007 3:18 pm

I am evaluating Sandboxie for use in our office. unfortunately i cannot get our citrix program to print while running in sbie. the entries i get in sbietrace are as follows:

(003404) SBIE (FI) 00000022 \Device\SandboxieDriverApi (null)
(003404) SBIE (FI) 00000039 \Device\KsecDD (null)
(003404) SBIE (FI) 00000039 \Device\KsecDD (null)

i have tried the folowing entries in my config file:

openpipepath=pcl2bmp.exe,\Device\namedpipe\SandboxieDriverApi
openpipepath=pcl2bmp.exe,\Device\namedpipe\KsecDD

and

openpipepath=pcl2bmp.exe,\Device\SandboxieDriverApi
openpipepath=pcl2bmp.exe,\Device\KsecDD

and neither seems to work

i do not know what the sandboxiedriverapi does, but i think it may have something to do with letting sandboxed programs talk with the printer. the ksecdd process is a windows authentication process that citrix needs to authenticate the user and make sure they have permission to print on that machine.

SnDPhoenix · Post by **SnDPhoenix** » Fri Jul 13, 2007 3:34 pm

Try adding this to your ini:

OpenFilePath=c:\windows\system32\spool\printers\*

Does it work?

lucus · Post by **lucus** » Fri Jul 13, 2007 3:56 pm

that would be a negative

lucus · Post by **lucus** » Fri Jul 13, 2007 4:35 pm

Is it possible to force a process to run outside the sandbox? the only reason that this is an issue is because citrix launches from the sandboxed web browser. i f i could force just this process to run outside the sandbox, but any other process started by the browser would run inside the sandbox, that would fix the problem. citrix does not need anything from the browser once it starts, all the browser does is authenticate the login and present the "icon" to start the remote desktop.

wraithdu · Post by **wraithdu** » Fri Jul 13, 2007 6:02 pm

I don't know how to force a program out of the sandbox, but you could just open up everything for your program -

OpenPipePath=pcl2bmp.exe,*
OpenKeyPath=pcl2bmp.exe,*
OpenIpcPath=pcl2bmp.exe,*

etc. for whatever is necessary.

lucus · Post by **lucus** » Fri Jul 13, 2007 6:35 pm

i have another question: why does sbie ignore any process request that ends with a (null)? is it because no specific function was requested of that process?

here is the output of sbietrace while citrix starts up and then preformes a print (in this case just a test page):

(002228) SBIE (FI) 00000012 \Device\MountPointManager (null)
(002228) SBIE (FI) 00000012 \Device\MountPointManager (null)
(002228) SBIE (FI) 00000012 \Device\MountPointManager (null)
(002228) SBIE (FI) 00000012 \Device\MountPointManager (null)
(002228) SBIE (FI) 00000012 \Device\MountPointManager (null)
(002228) SBIE (FI) 00000012 \Device\MountPointManager (null)
(003400) SBIE (KD) 00000003 \REGISTRY\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
(003400) SBIE (FI) 00000022 \Device\SandboxieDriverApi (null)
(003400) SBIE (FI) 00000039 \Device\KsecDD (null)
(003400) SBIE (FI) 00000039 \Device\KsecDD (null)
(003400) SBIE (GD) PostMessage 01224 (04C8) to hwnd=0003006A pid=000716 DDEMLMom
(003400) SBIE (FI) 00000012 \Device\MountPointManager (null)
(003400) SBIE (FI) 00000012 \Device\MountPointManager (null)
(003400) SBIE (FI) 00000012 \Device\MountPointManager (null)
(003400) SBIE (FI) 00000012 \Device\MountPointManager (null)
(003400) SBIE (FI) 00000012 \Device\MountPointManager (null)
(003400) SBIE (FI) 00000012 \Device\MountPointManager (null)
(003400) SBIE (FI) 00000022 \Device\WMIDataDevice (null)
(003400) SBIE (FI) 00000022 \Device\WMIDataDevice (null)
(003400) SBIE (FI) 00000022 \Device\WMIDataDevice (null)
(003400) SBIE (FI) 00000022 \Device\WMIDataDevice (null)
(002372) SBIE (KD) 00000003 \REGISTRY\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
(002372) SBIE (FI) 00000022 \Device\SandboxieDriverApi (null)
(002372) SBIE (FI) 00000039 \Device\KsecDD (null)
(002372) SBIE (FI) 00000039 \Device\KsecDD (null)
(002372) SBIE (FI) 00000035 \Dfs (null)
(002372) SBIE (FI) 00000035 \Dfs (null)
(002372) SBIE (FI) 00000022 \Device\WMIDataDevice (null)
(002372) SBIE (FI) 00000022 \Device\WMIDataDevice (null)
(002372) SBIE (FI) 00000022 \Device\WMIDataDevice (null)
(002372) SBIE (FI) 00000022 \Device\WMIDataDevice (null)
(002372) SBIE (FI) 000000F1 \Device\RasAcd (null)
(002372) SBIE (FI) 000000F1 \Device\RasAcd (null)
(002248) SBIE (KD) 00000003 \REGISTRY\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
(002248) SBIE (FI) 00000022 \Device\SandboxieDriverApi (null)
(002248) SBIE (FI) 00000039 \Device\KsecDD (null)
(002248) SBIE (FI) 00000039 \Device\KsecDD (null)
(002248) SBIE (FI) 00000012 \Device\Ndis (null)
(002248) SBIE (FI) 00000012 \Device\Ndis (null)

(002248) SBIE (FI) 00000035 \Dfs (null)
(002248) SBIE (FI) 00000035 \Dfs (null)
(003400) SBIE (FI) 00000012 \Device\Tcp (null)
(003400) SBIE (FI) 00000012 \Device\Tcp (null)
(003400) SBIE (FI) 00000012 \Device\Tcp (null)
(003400) SBIE (FI) 00000012 \Device\Tcp (null)
(003400) SBIE (FI) 00000012 \Device\Ip (null)
(003400) SBIE (FI) 00000012 \Device\Ip (null)
(003400) SBIE (FI) 00000012 \Device\Ip (null)
(003400) SBIE (FI) 00000012 \Device\Ip (null)
(003400) SBIE (FI) 00000012 \Device\Ip (null)
(003400) SBIE (FI) 00000012 \Device\Ip (null)
(003400) SBIE (PD) 001F0FFF 002316
(003400) SBIE (FI) 000000F1 \Device\RasAcd (null)
(003400) SBIE (FI) 000000F1 \Device\RasAcd (null)
(002948) SBIE (FI) 00000022 \Device\SandboxieDriverApi (null)
(002948) SBIE (FI) 00000039 \Device\KsecDD (null)
(002948) SBIE (FI) 00000039 \Device\KsecDD (null)
(002948) SBIE (FI) 00000022 \Device\WMIDataDevice (null)
(002948) SBIE (FI) 00000022 \Device\WMIDataDevice (null)
(002948) SBIE (FI) 00000022 \Device\WMIDataDevice (null)
(002948) SBIE (FI) 00000022 \Device\WMIDataDevice (null)
(002948) SBIE (FI) 00000012 \Device\MountPointManager (null)
(002948) SBIE (FI) 00000012 \Device\MountPointManager (null)
(002948) SBIE (FI) 00000012 \Device\MountPointManager (null)
(002948) SBIE (FI) 00000012 \Device\MountPointManager (null)
(002948) SBIE (FI) 00000012 \Device\MountPointManager (null)
(002948) SBIE (FI) 00000012 \Device\MountPointManager (null)
(002948) SBIE (FI) 00000021 \Device\Netbios (null)
(002948) SBIE (FI) 00000021 \Device\Netbios (null)

[2948] 07-13-2007 13:12:39:144 CONNECTED to Server
[2948]
(002204) SBIE (FI) 00000022 \Device\SandboxieDriverApi (null)
(002204) SBIE (FI) 00000039 \Device\KsecDD (null)
(002204) SBIE (FI) 00000039 \Device\KsecDD (null)

in this example pid 2948 is citrix, pid 2204 is the citrix print program, pid 3400 is firefox, pid 2372 is (strangely enough) sbierpcss and pid 2248 is sbiedcomlaunch. why are the two sbie processes being denied access?

this is the relevant portion of my config file:

OpenWinClass=winpatrol
OpenWinClass=CBViewerClass
openipcpath=\RPC Control\IcaApi
openkeypath=wfica32.exe,HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\

SafeBoot\Option
openkeypath=wfica32.exe,HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Safe

Boot\Option
openkeypath=pcl2bmp.exe,HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\

SafeBoot\Option
openkeypath=pcl2bmp.exe,HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Safe

Boot\Option

OpenFilePath=c:\windows\system32\spool\printers\*

openpipepath=\Device\NamedPipe\wkssvc
openpipepath=\Device\NamedPipe\lsarpc
openpipepath=\Device\SandboxieDriverApi
openpipepath=\Device\KsecDD
openpipepath=\Device\00000040*

right now it is pretty insecure, but the idea is to get it working, then go back and see what doesn't need to be open to make it work. i put the safeboot options in just to get them out of the debug log. looks like i need to put in a few more. what confuses me is that i put an exception in for the ksecdd and sandboxiedriverapi, why are they still being ignored? shouldn't they have direct access now? as in not be filtered at all?

lucus · Post by **lucus** » Fri Jul 13, 2007 6:51 pm

woot, now that is progress! now i get an error "sbie2320 could not disable windows explorer as desktop process: [11 / c000000a]"
in addtion to what wraithdu sugested i also added "openfilepath=pcl2bmp.exe,*" but i get the same error. and the errors

(003404) SBIE (FI) 00000022 \Device\SandboxieDriverApi (null)
(003404) SBIE (FI) 00000039 \Device\KsecDD (null)
(003404) SBIE (FI) 00000039 \Device\KsecDD (null)

still show up, along with a citrix error, which is new.

lucus · Post by **lucus** » Fri Jul 13, 2007 7:28 pm

ok, we are making some real progress

after adding

OpenPipePath=wfica32.exe,*
OpenKeyPath=wfica32.exe,*
OpenIpcPath=wfica32.exe,*
openfilepath=wfica32.exe,*
openfilepath=firefox.exe,*

to the config file i can get citrix to print, but the same error message comes up and the original ignored requests still show up in the debug log. we have also successfully put a large hole in the sandbox by allowing firefox unrestricted access to the hd. i know what file firefox and citirx need to share to get thinkgs to work. it is located at %local settings%\temp. think is i cant get it to put it there.

i tried

openfilepath=firefox.exe,"%local settings%\temp"

and

"openfilepath=firefox.exe,%local settings%\temp"

but it wont put the file where citrix (which can't see the sandboxed local settings\temp) can get it. basically i can't get paths with spaces to work with openfilepath. ideally i would prefer something like this:

openfilepath=wfica32.exe,*
openfilepath=!wfica32.exe,"%local settings%\temp"

so that firefox doesn't have any access at all and wfica32 uses the directory in the sandbox that it needs to get the ica.ini file that firefox downloads there.

wraithdu · Post by **wraithdu** » Fri Jul 13, 2007 7:55 pm

You don't need " " for paths in the ini. Even the default paths have spaces and no " ". Also OpenPipePath is the same as OpenFilePath except it allows programs residing in the sandbox access. So I suppose in this case that OpenFilePath is sufficient. Also I don't think log items that are ignored mean anything really. So try maybe -

OpenFilePath=wfica32.exe,*
OpenKeyPath=wfica32.exe,*
OpenIpcPath=wfica32.exe,*
OpenFilePath=pcl2bmp.exe,*
OpenKeyPath=pcl2bmp.exe,*
OpenIpcPath=pcl2bmp.exe,*

OpenFilePath=firefox.exe,%Local Settings%\Temp\ica.ini

Are you saying that the citrix print program is running un-sandboxed? So it's already started in the system, and not launched by firefox?

lucus · Post by **lucus** » Fri Jul 13, 2007 8:19 pm

pcl2bmp is started by citirx whenever it has a print job. it is how citrix hands the print job to the local machine. when the print job is done (at least done according to citrix, not necessarily actually done printing) pcl2bmp terminates. so no, it is not running outside the sandbox. ill give your settings a try, thanks. as to the quotes, my bad, I'm used to cmdline stuff where paths with spaces need quotes. sorry

wraithdu · Post by **wraithdu** » Fri Jul 13, 2007 8:36 pm

Ok, so firefox launches pcl2bmp. What is wfica32 then? Another process launched by firefox or pcl2bmp? Or is that the local citrix app?

Lucus · Post by **Lucus** » Fri Jul 13, 2007 8:38 pm

that config does get everything to work, but i still get that error message "sbie2320 could not disable windows explorer as desktop process: [11 / c000000a]"

i would like to know how to fix this, or if it is not a problem, turn it off. thanks again!

lucus · Post by **lucus** » Fri Jul 13, 2007 8:44 pm

it works like this: firefox logs into the server, authenticates the user, downloads the ica.ini file and starts wfica32 (citrix). that part works totally fine all sandboxed up. the problem comes when you try to print. wfica32 launches pcl2bmp, which, when sanboxed, does nothing. with your config it does print, but gives that weird error message, which is guaranteed to confuse at least some of our users.

tzuk · Post by **tzuk** » Sun Jul 15, 2007 8:02 am

That message shouldn't appear anyway. So if that's your only concern, lucus, it will disappear soon. The "c000000a" is an internal error code that is used to indicate something internally, it's a bug that it appears at all.

tzuk · Post by **tzuk** » Sun Jul 15, 2007 11:13 am

You can re-download Sandboxie 3, which is now version 3.00.02, and you shouldn't get this error message anymore.

Sandboxie Support

Printing in citrix

Printing in citrix

Who is online