-
Notifications
You must be signed in to change notification settings - Fork 8.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Megathread: sudo, runas, mixed elevation of tabs, etc. #1032
Comments
@hansmbakker Windows Terminal (or any terminal for that matter) doesn't - and cannot - know anything about sessions, command history, or locations. It's just a (virtual) screen and a (virtual) keyboard that connects to whatever client (cmd, powershell, bash) the user wants to use. The responsibility for managing that information lies with the clients (applications) themselves. I understand what you're asking, and sympathize though. Using Thanks for your feedback, but I'm going to close this as it's not feasible in the manner you would like. |
Couldn't each tab run in it's own isolated process - with some being elevated, and others not - but in the same Window? |
@mdtauk In theory, yes. But (1) this isn't what the op is asking, and (2) I'm not certain if ConPTY is baked enough to allow this yet. At a minimum, I'd imagine the main terminal process would need to be elevated, or at least some kind of proxy process would need to be, but that means we'd then have to create a means of communication between the terminal, the proxy (which is a conpty server) and the elevated app (conpty client.) Things get hairy fast after that. |
@oising Thanks for the reply. I think this suggestion has cropped up previously, and was wondering of the feasibility. Its not as elegant as typing sudo or even elevate. But adding a profile for an elevated prompt which when clicked/tapped - brings up the UAC dialog, and then creates the elevated tab within the window - could be useful. |
It's a pity that it is unfeasible, but thank you for your explanation. |
Hosting a connection to an elevated process in a window owned by a medium-integrity (that is: not elevated) process is dangerous because any other medium-integrity process could possibly inject input into it or scrape output from it. That’s the sole reason we’ve been given by the windows security team to not endeavour to do this. |
Thanks for being transparent about it. On the technical side, I’m wondering why |
Sudo is a Linux concept, and the way User and Admin concepts are handled between Linux and Windows are very different, and I guess that is what makes it not possible. |
Anytime someone uses I'm not really familiar with the Windows security model and what is possible, but is it an idea for the terminal process to run protected from injection and scraping by default? |
@DHowett-MSFT do we have a sudo megathread that combines all the 100 ways we've said no? Because we really should at this point |
Disclaimer - I am not a developer etc. on the terminal project, just a user. And my knowledge of UWP is cursory at best. Trying to add a " ... as a administrator" shortcut is unfortunately going to be difficult because the Windows Terminal application is not a "traditional" win32 app (like PowerShell or cmd.exe), it's packaged as a UWP application. And UWP is specifically does not allow this. For example EDIT - Terminal isn't UWP, it's packaged as a UWP.
Ref - https://docs.microsoft.com/en-au/windows/msix/desktop/desktop-to-uwp-prepare
Ref - https://docs.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations HOWEVER all hope is not lost. UWPs can't just be started from the commandline, for example running But you CAN start them via the APX Activation Manager. This gist Shows a powershell way to run an arbitrary UWP app. So you could run |
@glennsarti you’re partially right. The terminal isn’t a UWP, but it is MSIX-packaged like one. Because it’s not a UWP, though, you can just use “Run as administrator” on it. The thing it doesn’t, and probably cannot safely (per discussion above) support is running processes from multiple integrity levels in the same session. |
Thanks @DHowett-MSFT ! (Yeah, my UWP isn't the best 😞 ) I've edited my original comment. One thing's that odd though. I can't save that I want to always elevate. I'm putting this down to UWP because the "Target type" isn't I added a "Standard" shortcut for comparison in the screenshot.
Yup 100% agree. |
### ⇒ [doc link](https://github.com/microsoft/terminal/blob/dev/migrie/s/5000/doc/specs/%235000%20-%20Process%20Model%202.0/%235000%20-%20Process%20Model%202.0.md) ⇐ ## Summary of the Pull Request This spec is _exceptionally long_, and is currently a work in progress. There are a few more things I'd like to have experimentally verified (though, I'm fairly certain they _will_ work, with the right combination of flags and such). Additionally, a few sections have remaining TODOs before the spec is finished. However, this spec is already fairly long, and I want to give people as much time to get their eyes on it as possible. ### Abstract > > The Windows Terminal currently exists as a single process per window, with one > connection per terminal pane (which could be an additional conpty process and > associated client processes). This model has proven effective for the simple > windowing we've done so far. However, in order to support scenarios like > dragging tabs into other windows, or having one top-level window with different > elevation levels within it, this single process model will not be sufficient. > > This spec outlines changes to the Terminal process model in order to enable the > following scenarios: > > * Tab Tearoff/ Reattach ([#1256]) > * Run `wt` in the current window ([#4472]) > * Single Instance Mode ([#2227]) > * Quake Mode ([#653]) > * Mixed Elevation ([#1032] & [#632]) ## PR Checklist * [x] Specs: #5000 * [x] References: #1256, #4472, #2227, #653, #1032, #632, #492 * [x] I work here ## Detailed Description of the Pull Request / Additional comments _\*<sup>\*</sup><sub>\*</sub> read the spec <sub>\*</sub><sup>\*</sup>\*_
Create a fresh shortcut (right click desktop -> new shortcut) and enter |
Random thought: wouldn't it be possible, in Windows, to allow unelevated app to opt-in to UIPI (via the app manifest, for example) so that they are effectively isolated like admin apps, while still not actually running as admin? That would resolve the scraping/injection concern, opening up the possibility to run mixed tabs elevation. |
@sylveon That's maybe possible, though I don't know about that too much. Would that break screen readers or other accessibility tools? Or even IMEs? I'd love to see a proof-of-concept! |
Screen readers, IMEs and other accessibility tools already use UI Access to punch a hole in UIPI, so there shouldn't be much of an issue here. However I can't come up with a PoC because it would require platform support (afaik) and I'm not a Windows developer yet ;) |
Huh. Shame I'm on leave for the next month, otherwise I'd give it a go. Maybe when I get back... Oh wait, nevermind. That's why this won't work:
so the problem here is
OH I see - you're suggesting that we modify UIPI to enable this scenario, rather than "this is something that you can do as an app developer today". Okay. That makes more sense. I'm all over the place today. Sorry for the confusion. |
Indeed, I was suggesting modifying UIPI in the OS itself to support this scenario: blocking the communication between malicious.exe and wt.exe even at the same (or lower) IL |
### ⇒ [doc link](https://github.com/microsoft/terminal/blob/dev/migrie/s/1032-elevation-qol/doc/specs/%235000%20-%20Process%20Model%202.0/%231032%20-%20Elevation%20Quality%20of%20Life%20Improvements.md) ⇐ ## Summary of the Pull Request Despite my best efforts to mix elevation levels in a single Terminal window, it seems that there's no way to do that safely. With the dream of mixed elevation dead, this spec outlines a number of quality-of-life improvements we can make to the Terminal today. These should make using the terminal in elevated scenarios better, since we can't have M/E. ### Abstract > For a long time, we've been researching adding support to the Windows Terminal > for running both unelevated and elevated (admin) tabs side-by-side, in the same > window. However, after much research, we've determined that there isn't a safe > way to do this without opening the Terminal up as a potential > escalation-of-privilege vector. > > Instead, we'll be adding a number of features to the Terminal to improve the > user experience of working in elevated scenarios. These improvements include: > > * A visible indicator that the Terminal window is elevated ([#1939]) > * Configuring the Terminal to always run elevated ([#632]) > * Configuring a specific profile to always open elevated ([#632]) > * Allowing new tabs, panes to be opened elevated directly from an unelevated > window > * Dynamic profile appearance that changes depending on if the Terminal is > elevated or not. ([#1939], [#8311]) ## PR Checklist * [x] Specs: #1032, #632 * [x] References: #5000, #4472, #2227, #7240, #8135, #8311 * [x] I work here ## Detailed Description of the Pull Request / Additional comments _\*<sup>\*</sup><sub>\*</sub> read the spec <sub>\*</sub><sup>\*</sup>\*_ ### Why are these two separate documents? I felt that the spec that is currently in review in #7240 and this doc should remain separate, yet closely related documents. #7240 is more about showing how this large set of problems discussed in #5000 can all be solved technically, and how those solutions can be used together. It establishes that none of the proposed solutions for components of #5000 will preclude the possibility of other components being solved. What it does _not_ do however is drill too deeply on the user experience that will be built on top of those architectural changes. This doc on the other hand focuses more closely on a pair of scenarios, and establishes how those scenarios will work technically, and how they'll be exposed to the user.
Summary of the new feature/enhancement
Current situation:
Currently most console apps (Powershell, CMD) need to start a new session for getting administrator access. This results in a less optimal workflow, because then you lose
cd
into it again)Proposed technical implementation details (optional)
A bit like
sudo
, started with a button:The text was updated successfully, but these errors were encountered: