NTFS permissions

Ideas for enhancements to the software
Locked
Guest10
Posts: 5124
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Post by Guest10 » Fri Mar 29, 2013 3:42 pm

Guestd wrote:I'd like to ask if one were to change the permissions in C:\Sandbox\username, what exactly would need to be done, in order to keep things secure/manageable?
I don't remember anyone posting a list of steps to do that.
Guestd wrote:And, would a new Sandboxie install (an upgrade) restore the permissions back to what they were?
No, upgrading Sandboxie to a newer version would not restore the old permissions to the C:\Sandbox folder.
Deleting 'C:\Sandbox' might do it, but I'm not sure if Windows would remember the old permissions when the 'C:\Sandbox' folder is recreated.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007
Top
Guestd

Post by Guestd » Fri Mar 29, 2013 4:01 pm

Guest10 wrote:I don't remember anyone posting a list of steps to do that.
Sorry, I didn't want to imply someone did. I suppose I should have made the question after exposing the rest of the post, related to the permissions. Basically, what I wanted to ask is if mimicking C:\Users\Username to C:\Sandbox\User_Sandbox, would be the best procedure for what some are trying to achieve, including myself. It seems to be the perfect solution for privacy+security. After all, that's how Windows 7 (I suppose the other previous versions as well) isolates each user account folder from every user, so I suppose it would be safe to apply the same set of permissions/restrictions to C:\Sandbox\User_Sandbox. It makes sense in my head.

I was just wondering what you folks think about it. :)
Guest10 wrote:No, upgrading Sandboxie to a newer version would not restore the old permissions to the C:\Sandbox folder.
Deleting 'C:\Sandbox' might do it, but I'm not sure if Windows would remember the old permissions when the 'C:\Sandbox' folder is recreated.
OK. :)
Top
Guestd

Post by Guestd » Fri Mar 29, 2013 7:18 pm

For some reason Sandboxie changes permissions back to Everyone and Authenticated Users groups for C:\Sandbox\Username\Sandbox

I can mimick C:\Sandbox to reflect C:\Users and C:\Sandbox\Username\ to reflect C:\Users\User_account, but the programs sandboxes folders won't inherit those permissions, and I suspect that some Sandboxie process could be behind this behavior... ???

Has anyone been able to successfully make such changes?
Top
Guestd

Post by Guestd » Fri Mar 29, 2013 7:24 pm

Guestd wrote:For some reason Sandboxie changes permissions back to Everyone and Authenticated Users groups for C:\Sandbox\Username\Sandbox

I can mimick C:\Sandbox to reflect C:\Users and C:\Sandbox\Username\ to reflect C:\Users\User_account, but the programs sandboxes folders won't inherit those permissions, and I suspect that some Sandboxie process could be behind this behavior... ???

Has anyone been able to successfully make such changes?
I forgot to mention that from a privacy aspect, it doesn't matter that Everyone and Authenticated users are added back to the sandbox name folder, because other users still can't access C:\Sandbox\UsernameA and vice-verse. I'm just wondering why it won't inherit from the parent?
Top
Guestd

Post by Guestd » Sat Mar 30, 2013 10:51 am

Guestd wrote: I forgot to mention that from a privacy aspect, it doesn't matter that Everyone and Authenticated users are added back to the sandbox name folder, because other users still can't access C:\Sandbox\UsernameA and vice-verse. I'm just wondering why it won't inherit from the parent?
OK. I did some experimenting. If I don't delete the sandbox contents using Sandboxie itself, then the sandbox folder itself won't get deleted, which means that the permissions/restrictions will remain those I previously set. So, from now on, I'll use Eraser GUI to delete the contents of the sandbox folders, instead of calling it through Sandboxie.

This seems to be the best approach for those wishing to have sandboxes data separated from each user account. Hopefully, Tzul will implement this design in future releases, which would make things so much easier, I must say, and benefit users that wouldn't know to do this kind of privilege separation, by messing with ACLs/ACEs.
Top
Guestd

Post by Guestd » Sat Mar 30, 2013 3:02 pm

I was able to play a little more with this experiment, and any folder within C:\Sandbox\Sandbox_Folder\* will still get permissions set by Sandboxie itself. There just isn't a way that I know of to prevent this from happening.

To clarify and make it more understandable for others not understanding much of what I have been mentioning thus far, this is what I managed to change so far:

C:\Sandbox - I removed the default permissions, and applied the permissions of C:\Users to it. They remain.
C:\Sandbox\Sandbox_Folder - I removed the default permissions, and applied the permissions of C:\Users\User_Profile. They remain, provided that I don't delete contents with Sandboxie. I use Eraser to delete the contents of the folder, but not the folder itself.

Any other container/object (folder, file...) created within C:\Sandbox\Sandbox_Folder have permissions set by Sandboxie itself, and they cannot be changed, at all. These permissions are for the group Authenticated Users and the User.account.

It would be nice if there is a way to force containers/objects within C:\Sandbox\Sandbox_Folder\* to inherit from the parent folder (C:\Sandbox\Sandbox_Folder).

The only way I'm thinking, at the moment, and that could possibly do the trick, would be to script something that detects the creating of any new child objects and automatically recreate the permissions from C:\Sandbox\Sandbox_Folder to them. :lol:
Top
Locked

Return to “Feature Requests”

Who is online

Users browsing this forum: No registered users and 1 guest