Global Option Request

dlguild · Post by **dlguild** » Mon Sep 17, 2007 1:42 am

I would like a global variable which, when enabled, would limit access to the "Temporarily Disable Forced Programs" selection to users with administrative privileges only. In addition, if this global variable is set for "restricted" mode, it should prevent non-administrators from modifying the sandboxie.ini file (perhaps set the configuration file to 'read only' for non-administrators).

This would provide a great deal of administrative control over what is allowed to occur on computers in multi-user environments. Parents, for example, would fine this comforting. I suppose some sort of a password scheme could be used to control access to these functions, but I believe it would be more intrusive than a simple one time global setting.

tzuk · Post by **tzuk** » Tue Sep 18, 2007 4:23 pm

I was thinking about adding permissions to control who can use and edit which sandbox. I can add a switch for that option too, but keep in mind, it can be bypassed: People can always copy the program folder to their home folder, and rename the executable file.

dlguild · Post by **dlguild** » Tue Sep 18, 2007 6:01 pm

I hadn't thought about the possibility of copying the program folder. In my situation where I am dealing with individuals in a Terminal Server environment, this would be fairly easy to spot. The main thing I am concerned about is that everyone has now figured out that they can temporarily disable the sandbox. I am just trying to figure out a way for this option to go away except when needed by those responsible for updates & patches.

Thanks!

tzuk · Post by **tzuk** » Wed Sep 19, 2007 6:55 pm

Until I implement these restrictions in editing Sandboxie.ini, try setting ForceDisableSeconds=0, that should disable the option to temporarily disable forced processes. You should also be able to set permissions on Sandboxie.ini so it can't be modified by non-admins. (But I'm surprised you let them create files in C:\Windows or in C:\Program Files, in the first place.)

dlguild · Post by **dlguild** » Wed Sep 19, 2007 6:59 pm

Thanks Tzuk! I had already set the .ini permissions to read-only for non-admin, but I did not think of changing the ForceDisableSeconds to zero.

tzuk · Post by **tzuk** » Fri Oct 19, 2007 12:16 am

Well.. In the end I didn't go so far as to implement sandbox-based permissions. But in version 3.0.25 and onwards an administrator has these settings to play with:

EditAdminOnly=y

Prevents non-Admin users from editing Sandboxie.ini.

Note that in version 3.0.25, Sandboxie Control modifies the ini file through SbieSvc. This was primarily changed to handle UAC in Windows Vista and other users who prefer to run as least-privilege accounts. This means that the ini file can be changed by an ordinary user regardless of the permissions of Sandboxie.ini.

With EditAdminOnly=y setting, SbieSvc will not accepts changes by non-Admins.

DisableForceAdminOnly=y

Only admins can use the Disable Forced Programs feature.

dlguild · Post by **dlguild** » Fri Oct 19, 2007 3:06 am

Changes noted & much appreciated! Looks like street011 was wrong - you haven't been working on your bathroom after all!

Thanks again for all you efforts.

soccerfan · Post by **soccerfan** » Fri Oct 19, 2007 6:59 am

Looks like street011 was wrong - you haven't been working on your bathroom after all!:lol:

Yeah, all this while, he was working IN his bathroom

Great job, Tzuk.
soccerfan

Sandboxie Support

Global Option Request

Global Option Request

Who is online