Allowing BITS service tobe avaliable for a sandbox while dropping Admin rights otherwise

If it's not about a problem in the program
Post Reply
claws_lon
Posts: 3
Joined: Wed Aug 09, 2017 2:54 am

Allowing BITS service tobe avaliable for a sandbox while dropping Admin rights otherwise

Post by claws_lon » Wed Aug 09, 2017 3:26 am

I'm trying to configure a secured version of Chromium, which still can use the Background Intelligent Transfer Service (BITS) for downloading. The messages I got seems to indicate that starting the service in not allowed due to dropped rights. This part makes sense and is coherent with the protection I expect.

On the other hand, granting full admin rights in the sandbox just to run 1 service (which seems to be the suggestion brought up in several posts here) also conflicts with the level of protection I'd like to achieve. The ideal solution would be a sandbox configuration, for which the service is already available. Programs running in the sandbox could then use the service, but at the same time the isolation level does not allow them access to any other administrative functions, services etc.

So far I tried starting Sandboxiebits inside the sandbox - it doesn't achieve much, because the program shortly runs and stops later. Starting it externally causes an association issue SBIE2303. Starting the normal BITS service (which is set to manual) also doesn't seem to help either.

Is anyone aware of a way to properly associate a service with a sandbox, while keeping the extra protection of dropped admin rights for other programs running inside the same sandbox?

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 1458
Joined: Mon Nov 07, 2016 9:10 pm

Re: Allowing BITS service tobe avaliable for a sandbox while dropping Admin rights otherwise

Post by Barb@Invincea » Wed Aug 09, 2017 4:29 pm

Hello claws_Ion,

What is the exact error that you are receiving?
What are your OS, Sandboxie and Antivirus versions?

Is this the message that you are receiving?
https://www.sandboxie.com/index.php?SBIE2214

Please have a look at this entry for more info regarding Drop Rights:
https://www.sandboxie.com/?RestrictionsSettings

Perhaps you can use restrictions to disable other programs from running in your Sandbox:
https://www.sandboxie.com/?RestrictionsSettings

Regards,
Barb.-

claws_lon
Posts: 3
Joined: Wed Aug 09, 2017 2:54 am

Re: Allowing BITS service tobe avaliable for a sandbox while dropping Admin rights otherwise

Post by claws_lon » Thu Aug 10, 2017 2:26 am

Hi Barb,
I'm receiving the following (as you already guessed):
SBIE2214 Request to start service 'bits' was denied due to dropped rights
SBIE2219 Request was issued by program SandboxieDcomLaunch.exe [Iron]
SBIE2220 To permit use of Administrator privileges, please double-click on this message line

Software Setup:
Microsoft Windows [Version 10.0.15063] (W10 64 bit CU)
Sandboxie 5.20 (64 bit)
Chromium Version 61.0.3147.0 (Developer Build) (64-bit)
Bitdefender TS 2017

As mentioned, I'd ideally apply the dropped rights to all programs running in the sandbox - including Chromium itself (similar to running as a limited user, just without enforcing this kind of a profile switch). Therefore, the granting full permissions as the SBIE2214 related posts here suggest doesn't solve this part.

The goal would be similar to using setuid / setgid under Linux for BITS (which allows a particular file to be executed with the owner's permission) and this way grants admin permissions to SandboxieBITS.exe, but at the same time ensures no other programs can run with administrative privileges.

The run restrictions - e.g. only allowing Chromium to run (but with full admin rights) is not a good choice to my mind. There were cases where a script in the browser used a buffer overflow in Chromium (or one of it's plugins / extensions in case of other users as I don't run any in my setup) to do something malicious with browser itself. Then the attacker does not need to run any other program and enjoys full admin access at this time already, because I granted it to Chromium just to start the BITS service.

This is exactly the scenario I'd like to protect against by limiting permissions.

bo.elam
Sandboxie Guru
Sandboxie Guru
Posts: 2646
Joined: Thu Apr 23, 2009 2:17 am

Re: Allowing BITS service tobe avaliable for a sandbox while dropping Admin rights otherwise

Post by bo.elam » Thu Aug 10, 2017 9:36 pm

Hi claws_Ion, I dont use Chrome but I know that in some computers to avoid getting the BITS messages when running Chrome sandboxed you have to disable Drop rights. There is no way getting around that. This works like that due to how Chrome works. Read here about SandboxieBITS.exe and Chrome.
https://www.sandboxie.com/index.php?Ser ... grams#bits

Bo

claws_lon
Posts: 3
Joined: Wed Aug 09, 2017 2:54 am

Re: Allowing BITS service tobe avaliable for a sandbox while dropping Admin rights otherwise

Post by claws_lon » Sat Aug 12, 2017 6:48 pm

Hi Bo,
Thank you for posting the link. It was one of those I've already read before asking the question. If there is indeed no way of achieving the ability of running a specific service inside the sandbox while restricting the rights to all other programs within it than this might be a useful feature for the future.

It would be nice if Barb could also confirm this.

In the meantime, I'll then have to come up with a different approach to achieve something similar. I'll probably use PSexec by MS(part of the sysinternals suite) then to drop the rights for the browser, potentially by just running it as a different limited user inside the sandbox.

Thanks for your help

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 1458
Joined: Mon Nov 07, 2016 9:10 pm

Re: Allowing BITS service tobe avaliable for a sandbox while dropping Admin rights otherwise

Post by Barb@Invincea » Mon Aug 14, 2017 6:18 pm

Hello claws_lon,

You will need to either enable drop rights, or use restrictions so that only Chrome can run inside that Sandbox.
You may also try to "hide" the message instead of closing it, and see if you are still able to use Chrome (just hit "Hide" when the message appears). If that doesn't work, you can un-hide it by going to Configure--> Forget hidden messages.

You could also install Chrome directly inside Sandboxie, which might help you achieve your goal:
viewtopic.php?f=11&t=21974&start=60#p128829

Regards,
Barb.-

bo.elam
Sandboxie Guru
Sandboxie Guru
Posts: 2646
Joined: Thu Apr 23, 2009 2:17 am

Re: Allowing BITS service tobe avaliable for a sandbox while dropping Admin rights otherwise

Post by bo.elam » Tue Aug 15, 2017 1:05 am

Barb@Invincea wrote:
Mon Aug 14, 2017 6:18 pm
You may also try to "hide" the message instead of closing it, and see if you are still able to use Chrome (just hit "Hide" when the message appears).
Hi Barb, remember, I don't use Chrome, but as I understand it the BITS message for some reason is one message that can not be hidden. The user clicks Hide, and it ll comes back next time they run Chrome. I seen a few users report that. Perhaps it can be hidden in some systems but not all.

Bo

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests