Problems with Sandboxie

OLLI_S

I also use Sandboxie 5.12 (64 Bit) to start Mozilla Firefox in a sandboxed environment, so all changes made by the browser (downloads, temp files, cookies) are stored within a sandbox and don't touch my system.
Just if anybody asks: when I download a file then Sandboxie asks if I want to transfer the file to my PC or if it should stay in the sandbox.
My hope is that also malicious software that you can get by drive-by-injections are also kept away from my system.
I am also using an security suite with a classic virus scanner.

I had 1Password 4.6.0.604 (latest stable) installed.
After the installation I opened Firefox outside the sandbox and installed the 1Password browser extension.
Then I clicked on the 1Password icon in Firefox and set up 1Password for Firefox (the connection).
Now I can click on the 1Password icon in Firefox and can use 1Password normally.

When I start Firefox in sandboxed mode and click on the 1Password icon in Firefox, this is also working.
I have full access to my 1Password vault.
Remember, I still used 4.6.0.604 (latest stable).

Then I went to the settings of 1Password and checked for beta updates.
Now 1Password 4.6.0 Beta 613 is installed.

I started Firefox in normal mode (not sandboxed) and everything worked fine.
When I start Firefox in sandboxed mode and click on the 1Password icon in Firefox then the 1Password welcome URL is shown:
https://agilebits.com/browsers/welcome.html

I also have to select the 1Password application again.
In Sandboxie all sandboxed windows have a yellow border, so you see at once that this window where I have to select 1Password is shown inside the sandbox:

Then 1Password is started a second time and here I see the welcome screen (where I can create a new vault or open an existing vault).

To check this again I uninstalled 1Password 4.6.0 Beta 613 and installed 1Password 4.6.0.604 (latest stable).
Here I started Firefox in normal mode (not sandboxed) and set up the connection to 1Password.
Everything is working.
But also when I start Firefox in sandboxed mode everything is working!

So I can not use Sandboxie with 1Password 4.6.0 Beta 613 but with 1Password 4.6.0.604 (latest stable) it is working.
Can you please have a look at this problem?

---

1Password Version: 4.6.0 Beta 613
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

AGAlumB

@OLLI_S: I suspect this may be due to some improvements we've made in recent betas to harden security between 1Password and the browser extensions, so I don't expect we'll be reverting these changes. However, I may be wrong if it's due to something else entirely. Can you tell me the exact OS and Sandbox versions you're using so I can test this? Thanks in advance! :)

OLLI_S

I have Windows 10 Professional Version 1607 Build 14393.105 (Anniversy Release) in German language.
Sandboxie is the stable version 5.12 in 64 Bits.
I use Mozilla Firefox Portable 48.0.2 from PortableApps.com (http://portableapps.com/apps/internet/firefox_portable)
But you should be able to reproduce it with Sandboxie and the normal version of Firefox.

AGAlumB

@OLLI_S: Thanks! I tested this by stepping through a few betas of 1Password 4, and found that the 1Password browser extension still works with Firefox sandboxed in each of them. However, it doesn't work right off the bat because the extension in sandboxed Firefox needs to first start the Helper (Agile1PAgent.exe). 1Password cannot communicate with the browser otherwise.

So at first, when you click the extension button, you'll get the connection error (since the Helper is not yet running in the sandbox with Firefox). Similarly, Firefox cannot connect if it was lunched without the Helper running. So you really need both in your sandbox. After launching Firefox with the Helper already running in the sandbox, clicking again brings up the unlock prompt because the two can communicate.

So just make sure you have each piece of the puzzle (browser, extension, Helper) and you can continue to use this setup. I hope this helps! :)

OLLI_S

@brenty I have a big problem!
Today I updated 1Password to 4.6.1.616 and also the Firefox browser extension.
The old version of 1Password (4.6.0.604) worked with the sandboxed Firefox, the current stable version does not.
When I start Firefox outside the sandbox it is working.

The behavior is exactly as you described above.
And I also know that I have to start both apps in Sandboxie.
But starting 1Password sandboxed is not working, here I get the following error message from Sandboxie:
SBIE2205 Service not implemented: CreateDesktop

The problem is when I start 1Password sandboxed, then all changes made to my password vault is also sandboxed (and not written to my HDD). Here I must remember to move the files from the sandbox to my HDD.
Very high risk of data loss.

So, @brenty do you have any solution for me?
Meanwhile I will uninstall 1Password 4.6.0.604 and go back to 4.6.1.616 where everything worked.

AGAlumB

@OLLI_S: I apologize for the confusion there! We've recently added mutual authentication to 1Password's connection to its browser extensions. You can find more detailed discussion here.

It sounds like Sandboxie might now allow these secure connections, but this isn't a change we're going to roll back. Are you able to set an exception for 1Password? If not, and if you are the sole user of your computer (no other local or remote logins), you can safely use the previous version of the app.

But going forward 1Password will be requiring authentication to ensure that both sides are identified before transmitting any information. Not everyone is willing or able to run all of their software in a sandbox, so we really need to focus on making 1Password secure on its own, rather than designing it with this specific use case in mind. I'm sorry that I don't have better news for you. :(

OLLI_S

@brenty
In Sandboxie I can add some applications to the "software compatibility" list, but here Sandboxie only shows applications that are supported by Sandboxie and that are found on my system. 1Password is not listed here, so I can not select it.
In the Sandboxie forums (forums.sandboxie.com/phpBB3/index.php) there is also no topic for 1Password yet.
So I will install the old version of 1Password now.

But this can only be a temporal solution
You should find a solution for this problem in 1Password 6.
I think that Sandboxie is used by many users, in the forums there are nearly 25000 users.
Although I ave an Internet Security Suite I always start all my web browsers sandboxed, so no malicious software can affect my system (there are many drive-by-infections).
If 1Password is not working with Sandboxie I really have to think if I want to skip my security shield (Sandboxie) or if I switch back to my old password manager.
I really love 1Password, but security is also very important.

AGAlumB

If 1Password is not working with Sandboxie I really have to think if I want to skip my security shield (Sandboxie) or if I switch back to my old password manager. I really love 1Password, but security is also very important.

@OLLI_S: I couldn't agree more that security is important. We wouldn't be here if we didn't believe that. But I disagree that you have to choose between 1Password and security. Going back to my earlier comments, we design 1Password to be secure on its own; so while Sandboxie is a neat tool and almost certainly important in many cases, you don't need it in order to use 1Password securely — especially with the mutual authentication we're doing with the browser extensions (which of course why we're having this conversation now).

The "compatibility list" is interesting, but I have to be honest: so far you're the only one to bring this up, so I'm not sure it makes sense to pursue this at this time. We have to prioritize the work we do to do the greatest good for the most users. But certainly if this becomes a popular request and we can do it without compromising 1Password's security (again, mutual authentication) or usability, it's certainly something we'll consider.

I guess my point is that we cannot count on or expect all 1Password users to use Sandboxie, so we need to continue to improve 1Password to keep it secure for all users and avoid dependency. I'm sorry for the inconvenience our browser security improvements have caused, but it isn't something we can compromise on. It's what we expect of ourselves and our products, and all of our customers deserve no less.

OLLI_S

@brenty: what about moving this topic to the normal Windows forums, because the problem also occurs with the current stable version. And can you please change the title from "1Password 4.6.0 Beta 613 - Problems with Sandboxie" to "Problems with Sandboxie"? Maybe some other users also have Sandboxie?
Thank you!

Next you should understand what is in my mind.
I really love 1Password and you see this in the huge amount of suggestions I have made. It is a really powerful password manager that is by far better than my current password manager KeePass. 1Password also increases the security in comparison to KeePass (Watchtower, show weak and duplicate passwords).
And I really like the excellent support I get here (especially from you, @brenty but also from all others).
So there is no doubt that I love 1Password and I want to stay at 1Password.

But I know a bit about IT security and also a bit about the dangers that are out there.
I know that you can get infected just by typing in the wrong URL or by clicking the wrong link in the search result. Opening a webpage is enough to get infected these days, you even don't have to click anything. I remember the report that malware was delivered by advertisement (the advertiser was hacked). And I know that a Virus-Scanner can not protect you completely.

So my decision is to use a sanbdoxed browser, where all content (like cache, cookies) but also malware is stored on a secure area on the system. The malware can modify my system settings, change the registry and delete files, but this is only done in the sandbox. After I delete the content of the sandbox my system is clean again.
At least is this wat the developers of Sandbosie promise.
So here I have an additional security layer that protects me before malware reaches my system.
Referring to your posting @brenty: I need Sandboxie to browse securely in the web and not to increase the security of 1Password (but maybe I did get your posting wrong?).

I understand that applications have problems accessing sandboxed applications and communicating with them, but luckily 1Password worked with Sandboxie. So I manually added 55 passwords from KeePass and also changed the passwords on the web service (so the date when I last changed the password is correct and Watchtower can warn me).

Now you changed something and 1Password is no longer working with Sandboxie. Your changes should increase the security level, so I understand that you will not revert these changes. And I also think that you will have this feature in 1Password 6.
So also in 1Password 6 I will have these problems.

If I open my sandboxed browser, there is no way to fill form data, login to websites with the kot key, search for entries and so on. So all the comfort mechanism ae not working.
This is the reason why I am so frustrated: I found the perfect password manager but now it is not working with Sandboxie.

So, what can I do now?

• Cry? I already do this! :'(
• Use Firefox without Sandboxie? Would make my system less secure!
• Use an other browser that has sandboxing included? Edge is working on such a feature and I don't know about the sandbox features in other browsers (I don't use Chrome). But when sandboxing in browsers would work, why are there still so many drive-by-infections?
• Switch back to KeePass? Not really an option, I love 1Password!

It would be perfect when you an your team can investigate this and offer any solution here.
Thank you!

AGAlumB

what about moving this topic to the normal Windows forums, because the problem also occurs with the current stable version. And can you please change the title from "1Password 4.6.0 Beta 613 - Problems with Sandboxie" to "Problems with Sandboxie"? Maybe some other users also have Sandboxie? Thank you!

@OLLI_S: Excellent suggestion! The beta has become the stable now, after all. Done. :)

I'm really sorry for the frustration this is causing you. As you can imagine, we don't test unsupported setups — Sandboxie, WINE, etc. — when making changes, especially important ones like mutual authentication. Our highest priority is to make 1Password a secure, convenient experience for the average user. But much like we've made some tweaks in the past to accommodate Linux users, if we can find a way to allow you to use it with Sandboxie without making 1Password less secure or convenient to use overall, we will. I just can't guarantee that this is something that is possible at all or probable at this time since we have limited resources and we have a lot of work to do on 1Password in general. :blush:

Sandboxie is a fascinating tool, but I disagree that it's necessary to stay safe online. If it is, then god help us all, because that suggests that the average person has no hope of using the internet safely. The day accept that as fact is the day I build my isolated cabin in the woods. :p

That said, I think I may have found a solution. I was able to get it working by giving C:\Program Files (x86)\1Password 4\Agile1PAgent.exe file access to %LocalAppData%\AgileBits\OPX4.auth. You may be able to do it as read-only provided you complete the authentication in Firefox outside of Sandboxie first. Otherwise 1Password will need read/write access to create the file. You can also experiment with direct access if you'd prefer to perform the authentication anew each launch, but that's a bridge too far for me. :lol:

We're not doing anything crazy or mystical here, so you should be able to grant 1Password the ability to connect to the browser even if we make further changes. But ultimately Sandboxie settings ( :scream: ) are not our area of expertise, so it will be up to you to do so. Anyway, I hope this helps. ;)

OLLI_S

I was able to get it working by giving C:\Program Files (x86)\1Password 4\Agile1PAgent.exe file access to %LocalAppData%\AgileBits\OPX4.auth.

@brenty: how do I perform this?
I need a helping hand here....
Thank you!

AGAlumB

@OLLI_S: Indeed. I don't remember the exact steps, and the UI and documentation are not particularly user-friendly. But generally you'll need to configure the File Access settings to allow Agile1PAgent.exe to access OPX4.auth (in C:\Users\(user name)\AppData\Local\AgileBits\), which is where the shared secret for 1Password 4's mutual authentication is stored in encrypted form:

Sandboxie: Resource Access Settings

I did this with "Full Access", but as I mentioned it could probably work with Read-Only Access once the file has been created. 1Password needs to create it when you authenticate the connection initially so that it can access it to re-establish the connection on subsequent launches of the browser. If you have other questions about how to configure Sandboxie though, you'll probably find more knowledgeable folks in the Sandboxie forums. Cheers! :chuffed:

jonrnh

I too had the same problem. Thank you @brenty for the details needed to fix it. (Especially the process name and pathname.) I also had to change the dropbox file authorization to the agent process instead of 1password.exe ... or I did and it is now working. Not 100% sure that was necessary.

AlexHoffmann

Thanks for your input, @jonrnh!

We're glad Brenty's instructions helped you.

Cheers!

chrisparker_inv

Hey all! My name is Chris Parker and I work for Invincea as a developer on X which utilizes Sandboxie for its container.

I see the solution suggested here, and I am concerned that allowing the shared secret to be seen/read inside the sandbox might not be the most secure solution to this problem. I would rather see the extension talk to the agent that is running outside the sandbox, so if a rogue agent were running inside the sandbox it would not have access to the shared secret.

I understand this might not be the best place to troubleshoot this issue, so I invite anyone from agilebits to communicate with me directly to work on resolving it. If the reason the connections aren't working are due to a deficiency in Sandboxie, I feel certain we would make a code change to fix it. I will post whatever becomes of this collaboration here.

I also really want to get this working in the sandbox since I am a customer! I love 1Password!

Thanks!
Chris Parker

AGAlumB

@chrisparker_inv: Heya, Chris! I'm glad to hear that you love 1Password as much as we do. I'm sure we can come up with a solution.

Just to clarify, I think you may be reading a little too much into the function of the shared secret we store for 1Password/browser mutual authentication. This isn't any sensitive information; it's simply a token that is saved upon successfully connecting the first time. This serves two functions:

1. Verifying that you're the one trying to use the browser extension to connect to 1Password, and
2. saving the token so the user doesn't have to authorize it each and every session.

The purpose of this is to guard against another user on the same machine trying to connect to 1Password running in your account with a browser running in theirs, allowing them to access your data. You can read more information here.

But with both 1Password and the browser running in the sandbox, the only thing we need to worry about with regard to Sandboxie is how the token is stored. It will need to be stored in some way, since this is how 1Password knows you have authorized the connection (another user on the same machine will not be able to authorize 1Password on your account for you). But it could be stored only for the session and reset along with other sandbox data (which will require authorization again for the next session), or stored permanently to allow the connection each time the sandbox is used.

Ultimately, this is a matter of preference, so my suggestions above are a starting point that the user can use to configure the sandbox according to their own preferences — meaning, whether they want a truly "clean slate" each session or not.

So what are the risks then? Certainly, if you install a malicious piece of software inside your sandbox (likely disguised as a browser) with 1Password, it could try to get you to authorize it. It would then have its own shared secret, and could connect to 1Password freely. That sounds not only pretty bad, but rather plausible (though I haven't personally seen instances of this type of malware, either before or after mutual authentication). However, unless you disable 1Password Help > Advanced > Verify web browser code signature, 1Password won't even try to connect to it. 1Password recognizes the code signatures of all supported browsers, and many alternative and prerelease builds. So that prevents just anyone from saying "I'm Firefox!" to get to your data. Even if Firefox is simply damaged, 1Password will not connect to it due to the signature verification failing.

But while I think this is a workable solution for 1Password and Sandboxie users, we're certainly open to a dialogue that may allow for easier interoperability. Shoot us an email at support+extension@agilebits.com and we can exchange ideas. Cheers! :)

chrisparker_inv

Thanks @brenty! I'll look further into this with this information. Thanks again!

AlexHoffmann

You're most welcome! Let us know if we can help you with anything else or if you have more information to share.

chrisparker_inv

Here is what I have for Sandboxie. The lines I include here are very specific. Depending on your setup you may or may not need them. This is tested for 1Password 4, not 6. You will probably need to change my user name in paths from cparker to whatever yours is.

First we need to open up the location of the keychain.
OpenFilePath=Agile1pAgent.exe,c:\users\cparker\documents\1password\

For this I have used an OpenFilePath so if I add a login, it will persist it outside of the sandbox. If you only wanted to be able to read it, then use ReadFilePath. I have further restricted the writing to only the Agent. This path will vary on your system. You might be able to tighten it up and specify the actual file.

WriteFilePath=c:\users\cparker\appdata\local\agilebits\
This path allows the extension to authenticate. Being a WriteFilePath, this will not allow the browser extensions inside the sandbox to read this file, and the sandboxed extensions will have their own copy of this file. If you delete the contents of the sandbox, you will have to authenticate again. You could set this to OpenFilePath and you wouldn't have to do that.

WriteFilePath=c:\users\cparker\appdata\roaming\agilebits\
This looks like where the license sits and some temporary pngs.

The last one might need some insight from AgileBits.
OpenIpcPath=1Password.exe,*\sessions\*\basenamedobjects*\1passwordmutex
Since there are likely to be two running on the system, there might be issues with locking. I tried running with and without this line and it worked fine both ways. I probably didn't really exercise the timing properly.

MikeT

Hi Chris,

That's very kind of you to share that with us, thank you.

OpenIpcPath=1Password.exe,\sessions*\basenamedobjects\1passwordmutex

I believe that is the IPC call to establish universal unlock between the 1Password program and the 1Password Helper. You may notice both apps get out of sync on the lock status if this isn't permitted.

jonrnh

@chrisparker_inv perhaps the config code below could be added to sandbox config / applications / security and sandboxie could check and enable if 1password is present in the system. I'm not fully certain about the difference between sandbox / sandbox settings compared to configure / software compatibility.

I have also used the windows path variables to remove the hard-coding of the user's name and opened up the default 1password dropbox folder in case that is being used.

(I added this to Sandbox/Default Box/Sandbox Settings/Applications/Local, but it probably should be under applications/security)

[Template_Local_1password]
Tmpl.Title=1password
Tmpl.Url=https://1password.com
Writefile=Agile1pAgent.exe,%LocalAppData%\AgileBits\
OpenFilepath=Agile1pAgent.exe,%HomePath%\Dropbox\Apps\1Password\
OpenFilepath=Agile1pAgent.exe,%HomePath%\Document\Apps\1Password\
WriteFilePath=c:%LocalAppData%\roaming\agilebits\
WriteFilePath=%LocalAppData%\agilebits\
OpenIpcPath=1Password.exe,*\sessions\*\basenamedobjects*\1passwordmutex
Tmpl.Class=Local

MikeT

You might want to be careful with the space in the environment paths, it should be %LOCALAPPDATA%, not %LOCAL APPDATA%

AGAlumB

@jonrnh: It's really hard to tell, but I think I fixed up the spaces and formatted that to be more readable. Let me know if that helps!

jonrnh

For some reason the above works fine (thanks for the cleanup @brenty) for existing 1password entries, but not for updated (and maybe new ones). Then there are files being created in the sandbox with the following suffixes. Adding these lines makes it work but lets the 1password helper process write these suffixed files anywhere, which isn't really right.

OpenFilepath=Agile1pAgent.exe,*.1password
OpenFilepath=Agile1pAgent.exe,*.js
OpenFilepath=Agile1pAgent.exe,*.1Password.write

@chrisparker_inv are you still around? Do you understand why the OpenFilepath for the directory does not seem to work for sub-folders (which the documentation expressly says will work)? Also, can you also get this installed in the standard Sandboxie settings for applications/security

https://www.sandboxie.com/index.php?OpenFilePath

OpenFilePath=C:\Downloads\
. . .
The first example setting specifies that any files (or folders) created in the folder C:\Downloads (and in any folder below it) will not be sandboxed. Note that the final backslash character is important, because a star will be placed at the end of the string.`

AGAlumB

@jonrnh: Sorry for the confusion there! Any time you create or modify an item in your vault, 1Password will need to write those changes to disk for them to persist. This will always be localized within the .opvault or .agilekeychain you're using though, so it should be pretty easy to add an exception for that. But if subfolders aren't working that complicates things slightly.

chrisparker_inv

Yup, I'm still here. Looking into the OpenFilePath stuff.

AGAlumB

@chrisparker_inv: Thanks for following up. Let us know what you find! :)

chrisparker_inv

@jonrnh At first I thought I was having a problem with OpenFilePath, but I realized I was not editing the correct Sandbox.ini file, (doh!) When I edited the right file, it worked for me fine. Then I noticed in your posts you have OpenFilepath not OpenFilePath. That might be your problem. With the lines in my post before, I was able to save a login out to the host file.

@brenty On an earlier version of 1Password, I didn't have to run the Agile1pAgent.exe in the sandbox, the extensions were able to communicate with it outside the sandbox. In my opinion, that would be the best. For the new style authentication paradigm, is there different ways of communicating between the extension and the agent so that a new file NEEDS to be created in the sandbox, or SHOULD the extension work if the OPX4.auth file is visible in the sandbox?

Thanks!

AGAlumB

@chrisparker_inv: Thanks for following up, Chris! I didn't notice the case there myself either. :lol:

I'm not sure I fully understand your question, but I'll give you the rundown of what 1Password's doing and we can hopefully meet in the middle.

Starting with 1Password for Windows version 4.6.1 (and 1Password for Mac version 6.3.4, for reference), we're using mutual authentication when connecting to the browser extensions. When the user authorizes the connection, 1Password (in the case of version 4, the Helper, Agile1PAgent.exe) writes the shared secret to disk to be used in future sessions, so that it doesn't need to be authorized each session. So in the context of Sandboxie, it sounds like the Helper needs be running inside the sandbox both to establish the connection and save the secret, and then it will also need access C:\Users\(user name)\AppData\Local\AgileBits\OPX4.auth both for writing initially and reading going forward. So the Helper, browser, and OPX.auth need to live in the same sandbox, I think. Does that make sense?

chrisparker_inv

@brenty Yes it does, sorta. It looks like it uses websockets to communicate with a native component. In Sandboxie, it looks like the extension is trying to connect via websockets to something and failing. I'm guessing it is Agile1PAgent.exe. This failure seems to make the extension think that Agile1PAgent is not running and launches it. Of course this launches in the sandbox and it needs access to the OPX4.auth file to authenticate.

I'm not sure why the websockets connection is failing. From what I understand websockets is just normal TCP/IP traffic, and the configurations that I am using do not block any TCP/IP traffic. Here is a snippet from the firefox console.

Firefox can’t establish a connection to the server at ws://127.0.0.1:6263/4.  (unknown)
onepassword:[AGENT] socket error: [object Event]; readyState=3. Perhaps Helper is not running on ws://127.0.0.1:6263/4 or is shutting down?  global.min.js:97
Firefox can’t establish a connection to the server at ws://127.0.0.1:10196/4.  (unknown)
onepassword:[AGENT] socket error: [object Event]; readyState=3. Perhaps Helper is not running on ws://127.0.0.1:10196/4 or is shutting down?  global.min.js:97
Firefox can’t establish a connection to the server at ws://127.0.0.1:14826/4.  (unknown)
onepassword:[AGENT] socket error: [object Event]; readyState=3. Perhaps Helper is not running on ws://127.0.0.1:14826/4 or is shutting down?

On my Sandboxie testing machine, there is an Agile1PAgent running on port 6263 that Sandboxie firefox can't talk to, so when it launches Agent1PAgent itself that agent runs on 10196.

When I have both Agile1PAgents running, then kill the host one, restart firefox, the extension tries to connect to the one in the sandbox. It prompts again for the authentication, then I get a access denied file write error.

Could not write session state file Object { operation: "move", path: "C:\Users\cparker\AppData\Roaming\Mo…", winLastError: 5, stack: "", fileName: "(unknown module)", lineNumber: 0 } SessionFile.jsm:346

At first I thought this was writing the OPX file, but I think the partial path excludes that possibility.

So it looks like non-sandboxed firefox can talk to a sandboxed agent, but not the other way around. I don't see any reason why this should be the case...

MikeT

Hi @chrisparker_inv,

Did you ever disable the code signature check in 1Password? It would explain the inability to connect, it's not that 1Password Agent wasn't running on the initial 6263 port but it was being rejected by 1Password Agent.

At first I thought this was writing the OPX file, but I think the partial path excludes that possibility.

That is a very strange path, not something we use. Do you know what it was pointing to?