Similar Concept...

If it doesn't fit elsewhere, it goes here
Post Reply
random-sandboxie-user

Similar Concept...

Post by random-sandboxie-user » Tue May 29, 2007 5:47 pm

Hi Tzuk...I saw this while googling around,and thought,
since it's open-source,that you might be interested in it's implementation,
maybe it will give you a few more ideas or something...
Unfortunately,documentation is in Italian...

Direct link,binary and sources:
http://www.s0ftpj.org/tools/iam-1.0.2.1.zip

(...Since I haven't written/compiled it myself,
I give NO guarantee that the binary is safe/trustworthy to use.
This goes out to all people out there that don't know to read code.)

Documentation (in Italian):
http://www.s0ftpj.org/bfi/dev/BFi13-dev-19

Keep up the good work...

street011
Posts: 412
Joined: Tue Jan 16, 2007 2:08 pm

Post by street011 » Wed May 30, 2007 6:03 am

i downloaded this, tried it inside sandboxie, and... i realy don't know what it does or is supposed to do...

i ran several applications with iam, i tried deleting things, creating things, changing things... all successfull...

am i missing a point here? or am i using it incorrectly?

laszlo
Posts: 32
Joined: Fri Jun 01, 2007 8:59 am

Post by laszlo » Fri Jun 01, 2007 9:33 am

Run "iam -help" to get an overview about what it does. It's not really comparable to Sandboxie.

It's a program that uses mechanisms that are built into the NT line of Microsoft operating systems since 2000 to restrict your permissions before you're starting an application. It does this by stripping privileges from your token, changing the groups you're a member of to deny-only and adding restricting groups.

For an exact explanation of what that means search the web, but in a nutshell: you can use NTFS and registry permissions to create a combination of special group memberships that restrict file system and registry access for specific program runs without having to run them under different credentials and without needing elevated rights to do so.

The disadvantage of this approach and the reason why Microsoft didn't implement something like this earlier themselves is that interprocess communication isn't subject to normal access control, so it's rather easy to break out of such a sandbox (Vista's UAC and integrity levels change that somewhat, but anyway). Sandboxie on the other hand has a much wider scope in that it also controls IPC, which makes it a far more secure and complete solution (besides the fact that by default Sandboxie doesn't really restrict but rather virtualize access, which is totally different from what IAM does).

IAM is a little complicated but it perfectly does what it promises outside of Sandboxie. Inside however, its functionality is considerably restricted in that it can only strip privileges from your token (that's what I use it for since quite some time) and switch groups to deny-only, but not add restricting groups, which makes it appear like it doesn't do anything inside Sandboxie on a system with default NTFS and registry permissions.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest