Specify a folder not to sandbox?

Ideas for enhancements to the software
Post Reply
Guest

Specify a folder not to sandbox?

Post by Guest » Sat Nov 04, 2006 2:42 am

Hello,

Maybe I'm and idiot and haven’t seen this feature... But I am wondering if it’s possible or if it could be implemented to have an option for internet explorer, FireFox...etc... To be able to save files to a custom folder say C:\Downloads and not have it automatically sandboxed? In other words when I erase the sandbox the files in "downloads" would still remain and be accessible as any other file (not sandboxed).

I’ve had on a few occasions that I downloaded a file for later use (forgot) and than closed the sandbox erasing the contents only to realize I hadn’t used the recover feature. I figure if a program were to be trying to "exploit" your computer it wouldn’t really know of a non-standard folder (nor would it really care).

Also now that I write this, what about the ability to right click and open file in an external application not sandboxed? Same type of idea as the above I suppose just an app not a folder.

Anyway love the program,

Thanks for all the hard work.

mizzmona
Posts: 70
Joined: Fri Jul 28, 2006 4:58 am
Location: Missouri, USA
Contact:

Re: Specify a folder not to sandbox?

Post by mizzmona » Sat Nov 04, 2006 5:09 am

Anonymous wrote:I am wondering if it’s possible... To be able to save files to a custom folder say C:\Downloads and not have it automatically sandboxed?
OpenFilePath is what you want.

-M

Guest

Post by Guest » Sat Nov 04, 2006 3:44 pm

Hello,

Thanks for the reply. That helps a lot. :)

I have one problem still however.

I was able to get the "C:\Downloads" example to work fine. However I am unable to get a program to start outside the sandbox.

I tried:
OpenFilePath=program.exe, pathtoprogram
as well as
OpenFilePath=program.exe

Neither seemed to effect program.exe when loaded.

I assume I'm just doing this wrong.

The reason I am trying to do this is for programs such as external download managers or whatever that require direct access. So when the program is activated from my browser (which is sandboxed) I would like the spawned process not to be sandboxed.

Please let me know,
Thanks

SBIE User

Post by SBIE User » Sat Nov 04, 2006 3:50 pm

Anonymous wrote:However I am unable to get a program to start outside the sandbox.
Unless you have set the program as a "forced" program in SandboxIE's config file or have started the program with "Run Sandboxed," the program will automatically run outside the sandbox. SandboxIE only sandboxes programs which are specifically designated to run inside a sandbox.

The OpenFilePath setting is a way of allowing programs which have been specifically designated to run in the sandbox to access (directly write to) directories or files outside the sandbox.

Does that help? If I've missed you point, please give us some more information about what you want to do and we'll try to help further.

SBIE (Happy) User

SBIE User

Post by SBIE User » Sat Nov 04, 2006 4:00 pm

Anonymous wrote:However I am unable to get a program to start outside the sandbox.

I tried:
OpenFilePath=program.exe, pathtoprogram
as well as
OpenFilePath=program.exe

Neither seemed to effect program.exe when loaded.
Perhaps I misunderstood what you want to do. If want you want to do is to allow a specific sandboxed program access to any folder or file on your hard drive, then you could use the following examples that allow Notepad to access any folder on drives C or E. (This would only be necessary if Notepad is executed in a sandbox. Otherwise, it has direct access to those drives anyway.)

Code: Select all

OpenFilePath=notepad.exe,C:\
OpenFilePath=notepad.exe,D:\
Generally speaking, it is not a good idea to allow any sandboxed program to have such total access, as it defeats the purpose of SandboxIE. In some cases, however, a user may choose to allow such access. In any event, I would urge you not to grant such access to any web-based programs (browsers, email clients, etc.), as they pose the greatest risks when allowed complete access to write directly to your system.

SBIE (Happy) User

SBIE User

Post by SBIE User » Sat Nov 04, 2006 4:03 pm

Oops! Wow, did I screw up.

You should NOT use trailing slashes with OpenFilePath settings.

The correct code in my message above should be

Code: Select all

OpenFilePath=notepad.exe,C:
OPenFilePath=notepad.exe,D:
If you were to include the trailing slashes, the code would not work.

Sorry for the confusion.

SBIE (Happy) User

mizzmona
Posts: 70
Joined: Fri Jul 28, 2006 4:58 am
Location: Missouri, USA
Contact:

Post by mizzmona » Sat Nov 04, 2006 4:05 pm

Anonymous wrote:So when the program is activated from my browser (which is sandboxed) I would like the spawned process not to be sandboxed.
Programs and associated files launched from within the sandbox environment will open sandboxed. There is no setting or trick that will make it do otherwise, currently.

You can give a sandboxed program direct access to all unsandboxed folders, but it defeats the purpose of the sandbox... as SBIE mentioned.

-M

mizzmona
Posts: 70
Joined: Fri Jul 28, 2006 4:58 am
Location: Missouri, USA
Contact:

Post by mizzmona » Sat Nov 04, 2006 4:25 pm

mizzmona wrote:
Anonymous wrote:So when the program is activated from my browser (which is sandboxed) I would like the spawned process not to be sandboxed.
Programs and associated files launched from within the sandbox environment will open sandboxed. There is no setting or trick that will make it do otherwise, currently.
I should add, however, that something like IceSword can "bypass" the sandbox when run sandboxed, but only because it has kernel level drivers which were already running from outside the sandbox. Not that I really recommend sandboxing programs that do that either, this is just for info purposes. (See this thread.)

Guest

Post by Guest » Sat Nov 04, 2006 7:17 pm

hmm.. so from all this I grasp that it is not possible to unsandbox a spawned process.

In my case, clicking a link on the web that utilizes an external program. I dont want this program sandboxed as it doesnt work properly (probably because of firewall restrictions).

Ok well thank you all for your help and advice. If you have anything more to add please let me know.

I shall just suggest as a feature in the future to be able to do this. I know in the UNIx world "sandboxes" can use what are called 'symbolic links' to access external programs/files. Maybe there is something simular in Windows?

Thanks again for the help. :)

SBIE User

Post by SBIE User » Sat Nov 04, 2006 7:46 pm

Anonymous wrote:hmm.. so from all this I grasp that it is not possible to unsandbox a spawned process.

In my case, clicking a link on the web that utilizes an external program. I dont want this program sandboxed as it doesnt work properly (probably because of firewall restrictions).
Correct, as mizzmona said, what you want to do is not currently possible under SandboxIE.

There is a kind of work-around, but it's not very pretty. :(

If you know you're planning to go to a web site that will spawn a program you don't want to run under the Sandbox, then open the browser outside the sandbox. Assuming your browser is set as a forced program, you would right-click on the SandboxIE control icon in the Windows tray (looks like a slice of pizza with freckles) and select "Temporarily Disable Forced Programs" immediately before you launch your browser. That way, your browser will launch outside the sandbox, and I think any program it spawns will also open outside the sandbox -- but you'll need to try that to see if it works for you.

That's not a pretty work-around and means you won't have the protection of SandboxIE for your browser during that session, but it might work for occassional purposes.

The biggest problem I have along the lines of your issue is when I try to run Windows updates from IE each week. I have found that temporarily disabling IE using the method I described above does not work for the Windows update process -- so I have to edit my SandboxIE config file to comment out (#) the "ForceProcess=iexplore.exe" setting and reload the configuration. Then I run Windows update from IE and after its done I go back and remove the # in front of the ForceProcess=iexplore.exe line and reload the config file. That's a real pain, but I have not figureed out a better way to do it.

Perhaps Tzuk will tell us there is an easy solution that we don't know about. I'd love to be wrong about this!

SBIE (Happy) User

Guest

Post by Guest » Sat Nov 04, 2006 10:47 pm

Haha I hope something can be resolved in the future as well.

In the meantime I'll probably just copy the spawning links into a non sandboxed browser or something.

Thanks again for your input. :)

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 1 guest