Spec for Elevation QOL improvements #8455
Conversation
zadjii-msft
added
Issue-Docs
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Show resolved
Hide resolved
|
Should the roadmap be updated accordingly? I mean in the “open tab as admin” section in |
meh, probably. Could use some editorializing to reflect the current state of the #5000 plans. Thanks for bringing that up! |
|
Note to reviewers: I'm probably going to be changing this from |
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Show resolved
Hide resolved
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Outdated
Show resolved
Hide resolved
| comfortable shipping a mixed-elevation solution, because there's simply no way | ||
| for us to be confident that we haven't introduced an escalation-of-privilege | ||
| vector utilizing the Terminal. No matter how small the attack surface might be, | ||
| we wouldn't be confident that there are _no_ vectors for an attack. |
There was a problem hiding this comment.
Especially given our roadmap has us replacing the default story with the Terminal. And we don't want to be vulnerable by default. Individually choosing to be vulnerable... that's different.
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Show resolved
Hide resolved
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Show resolved
Hide resolved
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Show resolved
Hide resolved
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Show resolved
Hide resolved
| and have the elevated window open with the profile automatically. | ||
|
|
||
| We'll be adding the `"elevate": true|false` setting as a per-profile setting, | ||
| with a default value of `false`. When set to `true`, we'll try to auto-elevate |
There was a problem hiding this comment.
Should we maybe display the actual command before auto-elevate the profile? Malicious software could possibly modify the elevated profiles and perform some kind of injection. Users will not notice the difference if the profile is auto-elevated, and naturally say "yes" to some malwares unconsciously.
There was a problem hiding this comment.
I believe UAC will do that already, though, it's in the "show details". I suppose we'll only be showing the profile... I guess that means someone could edit the settings so the profile was "commandline": "malicious.exe", and there's nothing preventing them from doing that. That's not good. Yea there should probably be another internal warning.
This comment has been minimized.
This comment has been minimized.
ghost
requested review from
carlos-zamora,
DHowett,
leonMSFT,
PankajBhojwani and
lhecker
| One easy way of doing this is by adding a simple UAC shield to the left of the | ||
| tabs for elevated windows. This shield could be configured by the theme (see | ||
| [#3327]). We could provide the following states: |
There was a problem hiding this comment.
By making it a part of themes, that means it'll act like a global setting right? We won't have a scenario where you can have a different icon on each tab?
There was a problem hiding this comment.
Correct. This icon's only in the top-left of the entire window, not the tab.
| One easy way of doing this is by adding a simple UAC shield to the left of the | ||
| tabs for elevated windows. This shield could be configured by the theme (see | ||
| [#3327]). We could provide the following states: | ||
| * Colored (the default) |
There was a problem hiding this comment.
It'd be cool if you could upload your own icon too (similar to profile icons). That should be pretty straightforward.
There was a problem hiding this comment.
I mean, yea, sure, we could do that if someone really wanted that
There was a problem hiding this comment.
I'd swing hard the other way -- why let them choose mono or color? Just "on or off", with us controlling the visual treatment. for now
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Outdated
Show resolved
Hide resolved
| For the following examples, let's assume the user is currently in an unelevated | ||
| Terminal window. | ||
|
|
||
| When the user tries to create a new elevated **tab**, we'll need to create a new |
There was a problem hiding this comment.
Could/Should we add something like wt --admin new-tab ...?
Note --admin is off of wt not new-tab. It would be annoying to have to set the elevate member on NewTerminalArgs for each command.
There was a problem hiding this comment.
This might also solve the split-pane issue below? I feel like it's more straightforward to thing of the entire wt.exe commandline as "do all of this in an admin window" vs "do some of these commands in an admin window"
There was a problem hiding this comment.
That's maybe a good tangent to the split-pane discussion. With that discussion, I'm more concerned about someone trying to splitPane with a keybinding in an unelevated window, a Profile that's elevate=true. That's where it's a little weird.
wt --admin [args...] would be interpreted as basically "if I'm not elevated, launch an elevated wt [args...]". wt -w X --admin [args...] would then run [args...] in the elevated X window
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Show resolved
Hide resolved
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Outdated
Show resolved
Hide resolved
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Outdated
Show resolved
Hide resolved
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Outdated
Show resolved
Hide resolved
| * Over the course of discussion concerning appearance objects ([#8345]), it | ||
| became clear that having separate "elevated" appearances defined for | ||
| `profile`s was overly complicated. This is left as a consideration for a | ||
| possible future extension that could handle this scenario in a cleaner way. |
There was a problem hiding this comment.
Can we have an issue to track the discussion on "elevated" vs "unfocused" appearance configs?
I'm wondering if we could just do the following:
| Focused | Unfocused | |
|---|---|---|
| Regular | regular settings | unfocusedAppearance |
| Elevated | elevatedAppearance |
elevatedAppearance |
Reasoning: "elevated" is a long-term state whereas focus constantly shifts
idk, either way, a thread on this might be nice to have.
There was a problem hiding this comment.
I mean, we might as well just use #1939 for that, yea?
| * Similarly, we're going to leave [#3637] "different profiles when elevated vs | ||
| unelevated" for the future. This also plays into the design of "configure the | ||
| new tab dropdown" ([#1571]), and reconciling those two designs is out-of-scope | ||
| for this particular release. |
There was a problem hiding this comment.
Crazy idea: admin-settings.json?
There was a problem hiding this comment.
Honestly I'm just thinking newTabDropdown and adminNewTabDropdown, if you really want them to be different
There was a problem hiding this comment.
I also think that having completely separate settings would prevent security issues in the future. It may not be the best UX, but the safest thing would probably be to only have a OpenNewAdminWindow that just does runas wt.exe, and then within the admin window they can interact with the terminal however they'd like with the admin settings. I think that marshaling any amount of data into an admin context could cause problems. This is assuming that the actual wt.exe is only modifiable by the administrator.
consider if the attacker tries to run something like (edit: On reflection, the fact that you can just run a command as administrator is something that probably can't be prevented)
wt.exe "cmd.exe {1000 spaces/newlines to hide the rest of the string} && evil.exe"
Separate settings does have benefits too
- admin specific startup actions
- admin only profiles for free (including styling)
ghost
added
Needs-Author-Feedback
Co-authored-by: Carlos Zamora <carlos.zamora@microsoft.com>
Lol yea, I'm pretty sure we actually did have one one this. IIRC it was during the other process model one? In like, March 😝 The new stuff we discussed Monday, so I figured I'd document and #shipit |
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Show resolved
Hide resolved
doc/specs/#5000 - Process Model 2.0/#1032 - Elevation Quality of Life Improvements.md
Outdated
Show resolved
Hide resolved
@check-spelling-bot ReportUnrecognized words, please review:
Previously acknowledged words that are now absentSPACEBAR Unregister xIcon yIconTo accept these unrecognized words as correct (and remove the previously acknowledged and now absent words), run the following commands... in a clone of the git@github.com:microsoft/terminal.git repository ✏️ Contributor please read thisBy default the command suggestion will generate a file named based on your commit. That's generally ok as long as you add the file to your commit. Someone can reorganize it later.
If the listed items are:
See the 🔬 You can test your commits without appending to a PR by creating a new branch with that extra change and pushing it to your fork. The check-spelling action will run in response to your push -- it doesn't require an open pull request. By using such a branch, you can limit the number of typos your peers see you make. 😉 🗜️ If you see a bunch of garbageIf it relates to a ... well-formed patternSee if there's a pattern that would match it. If not, try writing one and adding it to a Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines. Note that patterns can't match multiline strings. binary-ish stringPlease add a file path to the File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.
|
## Summary of the Pull Request Adds a visible indicator that a Terminal window is elevated. This icon can be disabled with `"showAdminShield" false` in the global settings. ## References * spec'd in #8455 * Also in https://github.com/microsoft/terminal/projects/5 * big picture: #5000 ## PR Checklist * [x] Closes #1939 * [x] I work here * [n/a] Tests added/passed * [ ] Requires documentation to be updated - yea probably ## Validation Steps Performed  
## Summary of the Pull Request This is the resurrection of #8514 and #11310. WE determined that we didn't want to do #11308 after all, so this should be profile auto-elevation, without the warning. This PR adds two features: * the `elevate: bool` property to profiles - If the user is running unelevated, **and** `elevate` is set to `true`, then instead of opening a new tab, we'll open an elevated Terminal window with the profile. - Otherwise, we'll just open a new tab in the existing window. This includes cases where the window is elevated, and the profile is set to `elevate:false`. `elevate:false` basically just means "do nothing special with me". * the `elevate: bool?` property to `NewTerminalArgs` (`newTab`, `splitPane`) - This allows a user to create an action that will elevate the profile, even if the profile is not otherwise set to auto-elevate. - `elevate:null` (_the default_) does not change the profile's elevation status. The action will use whatever is set by the profile. - `elevate:true` will attempt to auto-elevate the profile - `elevate:false` will do nothing special. ## References * #5000 for obvious reasons * Spec'd in #8455 ## PR Checklist * [x] Closes #632 * [x] I work here * [x] Tests added/passed * [ ] Requires documentation to be updated - sure does, but that'll come all at the end. ## Detailed Description of the Pull Request / Additional comments After playing with de-elevation a bit, it turns out it behaves weirdly with packaged applications. I can try and ask `explorer.exe` to launch the process on our behalf. However, if the thing we're launching is an execution alias (`wt.exe`), and we're elevated, then the child process will _still launch elevated_. There's also something super BODGEY at work here. `ShellExecute` is the function we use to ask the OS to elevate something for us. But `ShellExecute` needs to be able to send a window message to the process that called it (if the caller was a WINDOWS subsystem application). So if we die immediately after calling `ShellExecute`, then the elevated process never actually spawns - sad. So we're adding a helper process, `elevate-shim.exe`, that lives in our process. That'll be the one that actually calls `ShellExecute`, so that it can live for the duration of the UAC prompt. ## Validation Steps Performed * Ran tests * Opened a bunch of terminal tabs at various different elevation levels * opened new splits too * In the defaults (base layer) as well, for madness Some settings to use for testing <details> ```jsonc "keybindings" : [ ////////// ELEVATION /////////////// { "keys": "f1", "name": "ELEVATED TAB", "icon": "\uEA18", "command": { "action": "newTab", "elevate": true } }, { "keys": "f2", "name": "ELEVATED, Color", "icon": "\uEA18", "command": { "action": "newTab", "elevate": true, "commandline": "PowerShell.exe", "startingDirectory": "C:\\Windows", "tabColor": "#bbaa00" } }, { "keys": "f3", "name": "unelevated ELEVATED", "icon": "🙃", "command": { "action": "newTab", "elevate": false, "profile": "elevated cmd" } }, ////////////////////////////// ], "profiles": { "defaults": { "elevate": true, }, "list": [ { "hidden":false, "name" : "cmd", "commandline" : "cmd.exe", "guid": "{0caa0dad-35be-5f56-a8ff-afceeeaa6101}", "startingDirectory" : "%USERPROFILE%", "opacity" : 20 }, { "name" : "the COOLER cmd", "commandline" : "c:\\windows\\system32\\cmd.exe", "startingDirectory" : "%USERPROFILE%", }, { "name" : "the sneaky cmd", "commandline" : "c:\\windows\\system32\\cmd.exe /k echo sneaky sneaks", "startingDirectory" : "%USERPROFILE%", }, { "name": "elevated cmd", "commandline": "cmd.exe /k echo This profile is always elevated", "startingDirectory" : "well this is garbage", "elevate": true, "background": "#9C1C0C", "tabColor": "#9C1C0C", "colorScheme": "Desert" }, { "name": "unelevated cmd", "commandline": "cmd.exe /k echo This profile is just as elevated as you started with", "elevate": false, "background": "#1C0C9C", "tabColor": "#1C0C9C", "colorScheme": "DotGov", "useAcrylic": true }, ] ``` </details> Also try: * `wtd nt -p "elevated cmd" ; sp -p "elevated cmd"` * `wtd nt -p "elevated cmd" ; nt -p "elevated cmd"` This was merged manually via ``` git diff dev/migrie/f/non-terminal-content-elevation-warning dev/migrie/f/632-on-warning-dialog > ..\632.patch git apply ..\632.patch --ignore-whitespace --reject ```
⇒ doc link ⇐
Summary of the Pull Request
Despite my best efforts to mix elevation levels in a single Terminal window, it seems that there's no way to do that safely. With the dream of mixed elevation dead, this spec outlines a number of quality-of-life improvements we can make to the Terminal today. These should make using the terminal in elevated scenarios better, since we can't have M/E.
Abstract
PR Checklist
Detailed Description of the Pull Request / Additional comments
*** read the spec ***
Why are these two separate documents?
I felt that the spec that is currently in review in #7240 and this doc should remain separate, yet closely related documents. #7240 is more about showing how this large set of problems discussed in #5000 can all be solved technically, and how those solutions can be used together. It establishes that none of the proposed solutions for components of #5000 will preclude the possibility of other components being solved. What it does not do however is drill too deeply on the user experience that will be built on top of those architectural changes.
This doc on the other hand focuses more closely on a pair of scenarios, and establishes how those scenarios will work technically, and how they'll be exposed to the user.
TODO:
splitPaneshould workmalicious.exeinto your auto-elevate profile, and have you run it without knowing it was changed.