Sudo/command line only elevation?

[parkovski]

I'm not sure this is the right place to ask about this, but I can't think of where the right place would be, so I'm just going to list my thoughts on this.

• As Windows command line functionality improves to the point that the system can be used remote/headless, this is becoming more of a necessity than an annoyance. Actually, this really comes down to having an official SSH client: SSH connections have to open as Admin, potential security hole.
• This is not some black magic thing or something that needs a UAC redesign or kernel work. I've experimented a little, and you can create a local service running as the system account which will give you elevated processes from the command line. I didn't pursue this any further though, because I don't have the time to commit to securing and testing the service, but I at least know it's doable.
• Even if I did want to publish a fully-featured sudo service, many organizations are not going to trust a third-party utility that is that big of a potential security hole, and it's unlikely the official SSH distribution would come configured for it, so now we're back at point one again.
• There is auto-elevation built into UAC, but only for the Windows publisher. So if this was a system utility, it's not even necessary to run it as a separate service.
• I think for the vast majority of users, this is entirely unnecessary, and I'd be fine with something that's enabled as a part of dev mode or when installing SSH. Those two cases do need it though.
• With WSL now we have a weird [restricted token, elevated token] x [regular account, root] scenario going on, where you have to be in the right kind of command prompt to get the correct privileges. If we had Windows sudo, I don't think it'd be too hard to unify it with the WSL sudo command.

Anyways, these are just my thoughts that I wanted to get out there. Happy to hear about any plans/concerns/a better place to have this discussion.

[zadjii-msft]

So I know there have been a LOT of discussions about getting a "sudo for Windows" built. I'm not sure that we have any concrete plans in place, but I know it's something a lot of us want. I'm certainly not the person to be asking about this - perhaps @bitcrazed or @yodurr can comment more?

[parkovski]

Thanks for the quick response! If I had to guess I'd say this probably would go to either whoever deals with UAC/token management or dev mode, but I don't know of any other Windows team that's as community friendly and easily reachable, so I figured it's worth a shot starting a discussion.

It's really conflicting, because I've seen so many scripts that just pop up the UAC dialog, and I could throw something together for myself that doesn't, but I can only fix the annoyance issue, not the "things being designed around the platform not supporting this" one.

[bitcrazed]

While we're not able to give you a firm timeline right now, I can echo @zadjii-msft's comment - we are sooooooooo keen for "Add sudo" to bubble up our priority list so we can get to work on it :)

As with anything to do with security, we will be working with the Windows core security & management teams to make sure that we "do it right".

[parkovski]

Good to know it's on the list, that's about as much as I can ask for. Thanks!

[bitcrazed]

@parkovski - If that's all you can ask for, I fear for your imagination :D ;)

[parkovski]

Hey now. I can ask for chocolate and berries to be a healthy diet or for politicians to stop pitting people against each other, but realistically all I'm gonna get is command line elevation.

[bitcrazed]

Chocolate isn't healthy? Pfffft!

[parkovski]

Uh oh, my cover's blown :(

[ExE-Boss]

This will likely depend on ConPTY or something, as it’s currently impossible to get the STDOUT, STDERR or STDIN of an elevated process from a non‑elevated process :( (I know as I tried to implement a sudo cmdlet for PowerShell).

[Magissia]

We need a full sudo, not just a "run as admin in terminal".

Sudo allows to run arbitrary commands as arbitrary users, following it's configuration.

[vsalvino]

Not terminal related, but I have a pretty good PowerShell sudo that has been working well for me in Windows.

Edit your profile:

PS > notepad $PROFILE

Add the following sudo function:

function sudo {
    Start-Process -Verb RunAs -FilePath "pwsh" -ArgumentList (@("-NoExit", "-Command") + $args)
}

Then invoke in your shell. Supports cmdlets, executables, anything that could normally be typed into a PS prompt:

PS > sudo Remove-Item .\test.txt  # Remove a file
PS > sudo Copy-Item .\test.txt C:\  # Copy a file
PS > sudo net start w3svc  # Start IIS

If you want to pass in a variable or expression that will be evaluated at run time, rather than pre-evaluated, wrap it in braces. For example:

PS > $myvar = "a"
PS > sudo echo $myvar  # $myvar is pre-evaluated, so the command reads: sudo echo "a"
PS > sudo { $PSVersionTable }  # with braces, $PSVersionTable is not evaluated until it is run as administrator

Remove "-NoExit" from the sudo function if you'd prefer to have the administrator window close when complete.

[parkovski]

@vsalvino Thanks, but this still requires UAC which is a no-go for some use cases (ssh). Unfortunately the only real solution to this is going to require a pretty decent amount of work.

[DHowett]

It's pretty frustrating that the remaining canonical issue has been locked for discussion

Did you have something material to add? I would be glad to unlock it for further discussion. However: it definitely feels like we covered all possible opinions over there. 😄

[mmseng]

I don't personally have the knowledge to contribute anything to the discussion, other than my desire to see the feature implemented. In fact I'm barely able to understand why this has been considered a lost cause. I'd have to read through it yet again but what I've taken away from it over the years is that Terminal has effectively considered the issue "wontfix" due to the design choice of chaining itself to the MS store installation mechanics.

Maybe I'm off base, but the point is, it wouldn't matter if I or anyone else did have something to contribute because there's no way to do so, aside from spinning up new issues or spilling over into others as I've regrettably done here.

If the issue is in fact dead then perhaps it should be closed. Either way, if there's not going to be any further discussion allowed, at the very least it would be appreciated to see a summary of the decision and reasoning in the final post, so that it's clear to everyone where the issue stands. To be clear I'm not necessarily saying we're owed this, or that shutting down the toxicity wasn't warranted.

[ChGen]

Yes, given that OS Windows since Windows 7 by default doesn't use strict UAC prompt policy, it's really strange that so much security concerns around Terminal being user-friendly with elevated admin. tabs (and by user, here's mostly advanced users, not average Windows user). I'm thinking on making some custom profiles with gsudo like apps...
I would understand if this feature will be disabled by default, but for IT-specialists it'll be very convenient feature.

[mominshaikhdevs]

I have implemented a lightweight POSIX-style Sudo implementation for Windows.

It makes user possible to use elevated console apps in non-elevated consoles.

For safety, the implementation uses the UAC for elevation and don't support credential cache. It also don't use homemade Windows service and any IPC infrastructures.

Introduction: https://github.com/M2Team/NanaRun/blob/0b6d760e18594d427658bbf9b88ce6b351f01fbd/ReadMe.md#minsudo Implementation: https://github.com/M2Team/NanaRun/blob/916efdf31eb941ef605878fe75cf63f2937bd0e7/MinSudo/MinSudo.cpp

Maybe the implementation can help you.

Kenji Mouri

the moment anything uses UAC (which requires GUI in it's current form), it can't be used in command line only mode. thus we are back to square one.

the only ways that've been proposed so far to implement "a true command line only elevation mechanism"/sudo are :

1. change the UAC implementation itself in the OS, so that it supports command line only elevation without requiring GUI, in a secure manner.
2. using the author @parkovski's Windows Service mechanism and extending on that. Sudo/command line only elevation? #146 (comment).
3. @sylveon's modifying the OS's UIPI. Sudo/command line only elevation? #146 (comment).
4. a combination of the above three.

regardless of whatever paths the Windows team comes up with; End of the day, It's a must have feature for Devs.

[MouriNaruto]

@mominshaikhdevs

I don't think any elevation implementations that need to enter the password in the console meet the security requirement.

POSIX's sudo implementation can be easily bypassed automatically via pipe without any explicit notice to users if some malicious implementations know the password. I don't think it can meet the security goal for the Windows team.

I think the password authentication must be finished on a separate desktop from a separate session. We need to recall the reason that Microsoft introduced the secure desktop to show the UAC window for receiving the user credentials. (There are some historic lessons. Many malicious implementations are really good at emulating the user inputs.)

Kenji Mouri

[ChGen]

Actually I don't mind secure prompts in separate desktop session in UAC-style. I do mind, that I can't continue my work in the same window or at least in the near tab. This feature is missing for me as advanced user/IT specialist. But on the same time, Windows by default allows elevations without prompts for "safe" apps for whole public, including all not so experienced users...

[mominshaikhdevs]

@MouriNaruto

Yes, that's why I said "in a secure manner". It was already mentioned by somebody at #146 (comment)

It requires that the Windows team implements "UAC's Secure Desktop" like feature but for a completely command lineish way/without any GUI prompt.

[MouriNaruto]

@mominshaikhdevs

It requires that the Windows team implements "UAC's Secure Desktop" like feature but for a completely command lineish way/without any GUI prompt.

In my opinion, no way to achieve that. Even the terminal can do that, but other 3rd-party apps that utilize the console pipe can't.

Unless we input the random credential token with a short time (for example 5 minutes at maximum) expiration instead of the password in the console, and get that token in the secure desktop.

Kenji Mouri

[MouriNaruto]

I think Windows can introduce something like two-factor authentication which using the time-based one-time password (TOTP; specified in RFC 6238) and HMAC-based one-time password (HOTP; specified in RFC 4226).

It may prevent some malicious implementations from emulating the user inputs easily and users can use Microsoft Authenticator on their mobiles to know the one-time password.

Kenji Mouri

[mominshaikhdevs]

actually anything is possible, if you think it hard enough and own/have access to the Windows Security source code.

Brand New APIs from the Windows team is required.

[MouriNaruto]

actually anything is possible, if you think it hard enough and own/have access to the Windows Security source code.

Brand New APIs from the Windows team is required.

It's not possible even have the Windows source code due to the design of pipe and console, and they need to keep the compatibility.

Kenji Mouri

[MouriNaruto]

If the thing is possible, they already implement it before, lol.

Kenji Mouri

[DHowett]

Hey there! Since there are so many people subscribed to this thread (and I'm sorry to be notifying them again) I'm going to lock it for now. If you want to talk about the potential implementation details for a "sudo for Windows"-like project, feel free to head on over to the Discussions section.

That way, we can keep this issue open for people who have subscribed for status updates. 😄

[zadjii-msft]

Closing as we're shipping Sudo for Windows in Windows 11 Insider Preview Build 26052

For more discussion, you'll probably want to head to https://github.com/microsoft/sudo

[agowa]

@zadjii-msft Just one thing, can you say anything about the note in that announcement? What's the long term plan for server? To just have people diy patch it in? As an optional feature? With the next version bump?

That's probably the only thing that is still relevant for this ticket here.

NOTE: The setting for enabling Sudo may incorrectly be showing on Windows Server Insider Preview builds – this feature will not be available on Windows Server and the setting will be disabled in a future Server Insider Preview build.

[zadjii-msft]

@agowa I filed microsoft/sudo#50 to track sudo on Server - I'd go engage on that thread if you have anything we can use as business justification ☺️