Page 1 of 1

Using a sandbox on a network share

Posted: Fri Jan 19, 2018 7:05 pm
by TonyF
Is it possible to run a sandbox on a network share? From what i can tell it should be possible but i am having no luck.

With my use case i am running sandboxie on my daily pc which is a virtual machine.

On my back end i have a parity protected array and specific SSD drives that i am using as a network share. Instead of creating a new drive image (in case it corrupts etc) to store my sandboxed items i would rather store them directly on the share. This also gives me the ability to transparently move files on the back end as the need requires.


I have created a symbolic link on my c drive "C:\Sandbox\SandboxCache" which points to "\\192.168.168.99\Sandboxie Cache"

If i run an installer i get:
SBIE1212 Cannot create directory '\Device\Mup\192.168.168.99\Sandboxie Cache\testbox'
SBIE2314 Canceling process Start.exe

Note that the 'testbox' folder, reg hive and drive folder were created on the network drive.
Deleting the contents from sandboxie is also successful.

I have tried opening pipes to this directory etc but to no avail.


The computer has write permissions and sandboxie does indeed write there so i dont know what else to try.

Why would sandboxie try to be writing to '\Device\Mup\192.168.168.99\Sandboxie Cache\testbox' instead of "C:\Sandbox\SandboxCache\testbox"?

Any help would be appreciated.

Re: Using a sandbox on a network share

Posted: Mon Jan 22, 2018 10:29 am
by Barb@Invincea
Hello TonyF,

Have a look at these entries:
https://www.sandboxie.com/SBIE1212
viewtopic.php?f=11&t=24979&hilit=symbolic
viewtopic.php?p=130918#p130918

If you are still unable to get it to work, please provide repro steps along with this info, so that I can test it:
viewtopic.php?f=11&t=19746

Regards,
Barb.-

Re: Using a sandbox on a network share

Posted: Tue Jan 23, 2018 7:27 pm
by TonyF
Hi Barb,

Windows 10 64bit
Sandboxie v5.22

Software involved. MSI installers, my testing installers in this case is the default MinecraftInstaller.msi or 'PDF Xchange EditorV7.x64.msi

No antivirus running outside of windows defender.


I create a symbolic link at "C:\Sandbox\SandboxCache" which points to "\\192.168.168.99\SandboxieCache"

I create a 'test_sandbox' whos filerootpath C:\Sandbox\SandboxCache\%SANDBOX%

- I am able to install steam without issue. Steam however gets stuck permanently 'cleaning up'.
- Installing an MSI file results in SBIE1212 Cannot create directory '\Device\Mup\192.168.168.2\SandboxieCache\test_sandbox'
- Adding Full and direct access to these folders does not make a difference.


Note running the above installers in a sandbox not on a symbolic link to a network drive work without issue.


There was another test installing steam in a sandbox on the c drive and storing the games on the network drive (via symbolic link) with direct access.
This scenario works without sandboxie error however steam goes into a game permanent update scenerio (Where the files are on the network drive) which does not happen on the local drive. This indicates there is a permission error however in this case sandboxie does not report anything.

Re: Using a sandbox on a network share

Posted: Wed Jan 24, 2018 12:43 pm
by Barb@Invincea
Hello TonyF,

Maybe I am not following, but can't you just set the root folder to the network share that you want to use? You will still need to follow the steps I provided before: viewtopic.php?p=130918#p130918
If OpenFilePath doesn't do the trick, do OpenPipePath instead.

I tested that setup and I was able to save a notepad file to the location I gave access to on my network drive. (It will not work for other drives like C: drive unless you also open paths for them (this is probably why you cannot finish installing your apps), which kind of defeats the purpose of running things in a Sandbox).

The symlink behavior was the same as with the root folder change. However, the performance will degrade a lot when using this setup, just to keep in mind. Launching a web browser took several minutes, saving a notepad file took almost 40 seconds...

I also found further discussions about this (older, but may still apply):
viewtopic.php?f=11&t=11892
viewtopic.php?f=11&t=13571

Regards,
Barb.-

Re: Using a sandbox on a network share

Posted: Mon Jan 29, 2018 6:28 am
by TonyF
I had less luck trying to use the root folder directly to the network share.

Using the direct approach without symlinks and trying to open as much access as possible i have done:

FileRootPath=\\192.168.168.99\Sandboxie\NetworkSandbox\%SANDBOX%
OpenPipePath=\Device\Mup\192.168.168.99\Sandboxie\NetworkSandbox\
OpenPipePath=\\192.168.168.99\Sandboxie\NetworkSandbox\
OpenFilePath=\Device\Mup\192.168.168.99\Sandboxie\NetworkSandbox\
OpenFilePath=\\192.168.168.99\Sandboxie\NetworkSandbox\

Under restrictions -> Network Files i have unticked to block network file access


If i run notepad in this sandbox and save a file to the My Documents folder i get ' C:\Users\Me\Documents\test file.txt Path does not exist'. Note i get this error for any path i put in

Re: Using a sandbox on a network share

Posted: Mon Jan 29, 2018 11:34 am
by Barb@Invincea
Hello TonyF,
If i run notepad in this sandbox and save a file to the My Documents folder i get ' C:\Users\Me\Documents\test file.txt Path does not exist'. Note i get this error for any path i put in
The only paths that will work are the ones within the network drive you are selecting as your root folder. For other drives, including C: drive, you will need to manually open the paths as I explained on my response above. Again, this setup is not recommended.

Regards,
Barb.-

Re: Using a sandbox on a network share

Posted: Mon Jan 29, 2018 5:20 pm
by TonyF
Hi Barb,

What if i want the saved location to be sandboxed?

If i openfilepath or openpipepath to the for example 'My Documents' then the location is directly accessible and defeats the purpose of a sandbox.

My goal is to have my sandbox functionality the exact same whether the sandbox location is stored on a physical drive or a network drive. eg if i save to 'Program Files' then it is saved in the sandboxed location of 'Program Files'. (ie change 'Set Container Folder' to a network drive and have it work the same as the one on the c drive)

If i get this right and opening direct paths is the only way this works then it defaults the purpose of the sandbox.

You can see why i went the symbolic link route as it had some better results however there were many inconsistencies with that as well. (Hence this post)