How can I allow sandboxed apps access to services?

Please post your problem description here

Moderator: Barb@Invincea

Post Reply
petey

How can I allow sandboxed apps access to services?

Post by petey » Tue Apr 29, 2008 2:05 am

Hi all,

I am wondering if it is possible to allow sandboxed apps access to windows services? I am trying to allow a sandboxed app to access a database on a SQLEXPRESS server but it cannot locate the server. Is there a way I can open the sandbox to a specific service? Or do I need to install SQLEXPRESS into the same sandbox? This would mean I would have to restore the databases of interest to the sandboxed sqlserver instance (I would like to avoid this if possible).

Thanks for your time.

petey

Post by petey » Tue Apr 29, 2008 7:32 am

Ah I apologise for the hashy post.
Ive delved deeper into sandboxie's functionality and used the access tracing to find the files the sandboxed apps were denied access to.
If anyone is interested I had to add the following lines to the ini file to enable sqlserver (SQLEXPRESS) access.

...
OpenPipePath=\Device\NamedPipe\lsarpc
OpenPipePath=\Device\Mup
OpenPipePath=\Device\NamedPipe\MSSQL$SQLEXPRESS
OpenPipePath=\Device\NamedPipe\SQLLocal
...

Guest10
Posts: 5127
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Post by Guest10 » Tue Apr 29, 2008 8:09 am

petey wrote:OpenPipePath=\Device\NamedPipe\lsarpc
You may want to try it without that line. I don't have the link to the following information (I saved the text, for future reference, from one of tzuk's FAQ's):

"The system-management named pipes lsarpc, srvsvc, wkssvc, samr can be accessed by a sandboxed program, and this access is guaranteed to be non-Administrator. If you have these pipes listed in an OpenFilePath/OpenPipePath, to make some program work, it is suggested you remove them."

As far as I know, this advice is still recommended.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Tue Apr 29, 2008 8:42 am

In addition to what Guest10 said, I also suggest trying without -

Code: Select all

OpenPipePath=\Device\Mup
Both lsarpc and this mup allow for some security vulnerabilities. Of course if this is a sandbox dedicated to running a specific trusted application then it isn't much of a problem. But the information is here for you to decide.
tzuk

petey

Post by petey » Tue Apr 29, 2008 6:17 pm

Thanks for the replies,
I tried without the setting ini lines:

...
OpenPipePath=\Device\NamedPipe\lsarpc
OpenPipePath=\Device\Mup
...

as suggested and the sandboxed app runs fine. It was only attempting to access the UNC provider when I provided an invalid sql server name.
What a fantastic app :D

Post Reply

Who is online

Users browsing this forum: No registered users and 15 guests