All posts by jclarkw (4)

topic: Simplest Usage of SuRun Together with Sandboxie -- Combined Topic  in the forum: SuRun English speaking
jclarkw #1
Member since Apr 2012 · 4 posts
Group memberships: Mitglieder
Show profile · Link to this post
Quote by Kay:
peterk62's suggestion is not risky, mine is, potentially, because in my suggestion SuRun gets into the game, in peterk62's SuRun is out and thus less risky.


Thanks again, Kay.  That clarifies the matter sufficiently for me. -- jclarkw
topic: Simplest Usage of SuRun Together with Sandboxie -- Combined Topic  in the forum: SuRun English speaking
jclarkw #2
Member since Apr 2012 · 4 posts
Group memberships: Mitglieder
Show profile · Link to this post
In reply to post ID 3733
Quote by Kay:
...Both options do the same for YOU, they make SuRun work with SandboxIE.
My suggestion would enable SuRun's hooks inside SandboxIE while peterk62 would prevent them to work (and to eventually be risky)...



Dear Kay -- Thanks VERY much for the most helpful response.  The only part that I don't understand at all is your parenthetical remark quoted.  What's potentially risky about peterk62's approach?

(I might need to use more of SuRun's capabilities in the future and would not want to get myself into trouble!) -- jclarkw


P.S. -- Apparently I was editing my second message while you were typing your reply.  I hope I didn't confuse the issue further... -- J.W.
topic: Simplest Usage of SuRun Together with Sandboxie -- Combined Topic  in the forum: SuRun English speaking
jclarkw #3
Member since Apr 2012 · 4 posts
Group memberships: Mitglieder
Show profile · Link to this post
In reply to post ID 3731
Subject: More Details on Above Issue(s)
My problem occurs when I try to run FireFox inside a Sandbox from an LUA.  I repeatedly get the following message from Sandboxie:

"SBIE22-04 cannot start sandboxed service RpcSs(-1)"

When I examine the contents of the (default) Sandbox, I find three programs listed as running:

1) Start.exe (I don't know what this one is...)
2) SuRun.exe (I don't know why this should be running inside the Sandbox, since I'm not trying to elevate rights for anything -- SuRun Settings/Execution hooks/"Try to detect if unknown..." is UN-checked, SuRun Settings/SuRunners group/"User can only run predefined......" is CHECKED, and all of the options mentioned above involving shell integration are disabled!  I've only left the the top two options in Settings/Execution hooks checked, as mentioned before -- maybe not both are necessary?)
3) Start.exe (again...)

As I said before, my one program desired DOES run successfully with elevated rights (outside a Sandbox).

This does not sound to me like the problem that Kays has addressed -- see (1) in the previous message -- and in fact, when I try the solution proposed by peterk62 -- see (2) in the previous message -- my problem SEEMS to vanish.  (None of the above-listed programs is now running in the sandbox.)

Needless to say, I'm still confused.  Can anyone help me to understand what's going on here? -- jclarkw
This post was edited 2 times, last on 2012-04-09, 20:02 by jclarkw.
topic: Simplest Usage of SuRun Together with Sandboxie -- Combined Topic  in the forum: SuRun English speaking
jclarkw #4
Member since Apr 2012 · 4 posts
Group memberships: Mitglieder
Show profile · Link to this post
Subject: Simplest Usage of SuRun Together with Sandboxie -- Combined Topic
I got here by trying to set up the simplest possible implementation of SuRun on an XP SP3 system with a basic combination of SRP and NTFS access rights, using Sandboxie, Windows 7 Firewall Control, Microsoft Security Essentials, and FireFox as my security "suite."  (I'm not a "systems" person and may need more hand-holding than most on this forum.)

My goal was VERY simple:  Have just one program that won't run properly in a LUA start automatically with elevated rights (only when called, not at startup, nor in a Sandbox, nor anything else fancy) for just one Limited User.  No additional rights are desired for this "SuRunner" (no changing SuRun settings, no ability to elevate rights of other programs, no tinkering with protected Windows settings).  Also, no automatic checking for programs that need elevated rights and no additions to the context menus are desired.

I tried to achieve this simplicity by limiting most of the options in SuRun's Settings:  No "Shell Integration;" the sole SuRunner cannot change SuRun's settings and can only run the predefined programs elevated; the only program listed to start automatically with elevated rights; on the "Execution Hooks" tab, do not try to detect if applications need elevated rights; on the "Advanced" tab, check all the "If a non "SuRunners..." boxes and un-check all of the "Convenience settings"....  (I also tried un-checking the both of first two boxes on the "Execution Hooks" tab, "Install filter..." and "Set a Hook...", but I rapidly found that this prevented my program from running with elevated rights at all.)


First Question:  Is the above a viable way to use SuRun for my limited purpose?  Are there any other features that I can safely disabled?


So far so good with my one program, until I tried to run FireFox in a Sandbox.  Then I got error messages, and Sandboxie wouldn't start FireFox at all (as others have reported here since about 2008).  Initially I thought this might be a problem with the above very limited settings, but then I found discussion of the problem on this forum most recently here (http://forum.kay-bruns.de/thread/317).  Subsequently, I have found another potentially simpler solution here (http://www.wilderssecurity.com/showpost.…?s=b00bee899fd0…).  This latter solution has also been advocated here (http://www.sandboxie.com/phpbb/viewtopic.…?t=9198&hi…).


Second Question:  Understanding that I will not be doing anything tricky like installing software from a LUA or otherwise running SuRun inside a Sandbox (or vice versa), which of these two proposed solutions is preferable and why?

1) From Kays's post:
"You need to set "full access" to the named pipe of SuRuns service (\Device\NamedPipe\SuperUserRun).
This ca be done in Sandboxie.ini:
OpenPipePath=\Device\NamedPipe\SuperUserRun"

2) From peterk62's post:
"...in the SuRun settings, go to the "Execution Hooks" tab and click the "Blacklist" button, then add the path to "Sandboxie\Start.exe" to the blacklist."


Thanks in advance for any clarification of these combined issues! -- jclarkw
This post was edited on 2012-04-09, 17:56 by jclarkw.
Close Smaller – Larger + Reply to this post:
Special characters:
Special queries
Go to forum
Not logged in. · Lost password · Register
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Page created in 127.4 ms (56.5 ms) · 57 database queries in 15.8 ms
Current time: 2019-06-16, 21:30:45 (UTC +02:00)