41
submitted 9 months ago* (last edited 9 months ago) by Aatube@kbin.social to c/technology@beehaw.org

Shipped in Windows 11 Insider Preview Build 26052. https://www.tiraniddo.dev/2024/02/sudo-on-windows-quick-rundown.html claims it has a big security problem that makes the program accept calls to elevate from anywhere once first run

Edit:

  1. The security problem has been internally fixed and will be available in the next release
  2. It's not just an alias for 'runas'. It seems to be able to configurably block user input for sudo'd commands, retain the existing environment, ditch it and open a new window, and remember that you've sudo'd in the last minute or so.
  3. It brings up UAC instead of having you input the password
top 28 comments
sorted by: hot top controversial new old
[-] Nath@aussie.zone 22 points 9 months ago

I was Googling like mad just this week on how to execute a cmdlet as Admin from within a script that isn't running with elevated privileges. The results all basically came back with some variation of "just run the script as Admin".

This is the right way to do it. I'm glad it's coming.

[-] tesseract@beehaw.org 11 points 9 months ago* (last edited 9 months ago)

The OpenBSD devs published a mail about it. The irony here is how Microsoft would behave if anybody else copied their concepts, including the name. The treatment is never symmetric or reciprocal.

[-] UNIX84@beehaw.org 12 points 9 months ago

I mean licensing comes in here. The FOSS licenses allow this. Microsoft EULA and copyright almost certainly does not. But yes, I get the sentiment.

It's almost as if all of the FAANG/Magnificent 7 market outperformance the past 15 years was built on the backs of the free labor provided by the FOSS movement. But then they will turn around and claim that non-western companies steal IP, etc and have US intervene to ban competition, or sue in courts. Kind of funny.

Back to the tech discussion, I've been using doas for a few years now instead of sudo. Even on my GNU/Linux machines. It's a lot simpler to setup for desktop workflow machines.

[-] jarfil@beehaw.org 6 points 9 months ago

free labor provided by the FOSS movement

Check out the contributors to Linux, how many of them work for free vs. how many work on behalf of companies.

There is this pervasive myth that FOSS gets developed by lone wolves working in their spare time, when in reality most of the projects that get any traction, have a financing model behind them.

[-] jarfil@beehaw.org 2 points 9 months ago

No irony there; BSD devs want companies to copy their code and close it down... or they wouldn't be using the BSD license.

[-] jarfil@beehaw.org 6 points 9 months ago

start-process -verb runas

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-process

Not the same as sudo, but mostly equivalent for single cmdlets or scripts.

[-] Nath@aussie.zone 2 points 9 months ago

That's where I started, of course - but you can't combine -verb with -credential. It's a silly limitation that seems to make sense to Microsoft. What you can do is configure a savecred which you can call with RunAs, but you then need to update that saved credential every time the password changes.

I do have a $Credential object that has been pulled out of the password safe that has elevation permissions, but can't seem to apply it non-interactively or without being in an elevated session. This appears to be by design. Not that I intended my comment to turn into a support question. 😀

[-] beefcat@beehaw.org 3 points 9 months ago* (last edited 9 months ago)

runas will do it, but the syntax is awful. i’m so glad windows is finally getting a real sudo

[-] Aatube@kbin.social 3 points 9 months ago
[-] Nath@aussie.zone 1 points 9 months ago

I like it! I think I'll tinker with this on my workstation, potentially even my dev environment. It isn't suitable for my present issue though, as gsudo is not in the SOE. Also, from that little demo thingy, it appears to pop up a UAC prompt the first time it executes. I need to be non-interactive.

[-] Aatube@kbin.social 1 points 9 months ago
[-] Nath@aussie.zone 1 points 9 months ago

This is a sad revelation. This sudo implementation wasn't going to make much difference to me immediately anyway, as I assume sudo won't be in Windows Server until v2025. But still: I was hoping it would work like *nix with a sudoers file or something similar.

[-] NoLifeKing@ani.social 3 points 9 months ago

Use Linux is the awnsers i got...

[-] jarfil@beehaw.org 1 points 9 months ago

Haven't tried it on Linux, but it says the -verb runas only works on Windows... might have to use actual sudo on Linux.

[-] Pilgrim@beehaw.org 16 points 9 months ago

I would say "hey that's just copying" but Microsoft is legally incapable of being wrong, or noticing irony so I'll leave it be

[-] OmnipotentEntity@beehaw.org 17 points 9 months ago

If I'm understanding this correctly, it's not even copying. It's apparently just a wrapper for the built-in runas command that's been there since Windows 2000.

[-] zadjii@mastodon.social 9 points 9 months ago

@OmnipotentEntity @Pilgrim it's actually not just a wrapper for runas. There's a lot of other plumbing here to get the console handle you're actually using plumbed to the target application. That's the magic that lets you actually interact with the elevated process in the same terminal.

With runas, the target application is just stuck in a separate console window (gross)

[-] OmnipotentEntity@beehaw.org 4 points 9 months ago

So please forgive me if this is a rather naive question. I haven't seriously used Windows in nearly 15 years.

I seem to recall runas being a lot like su, in that you enter the target user's credentials, rather than your own as in sudo. This works because sudo is a setuid executable, and reads from configuration to find out what you're allowed to do as the switched user.

Is the behavior of windows sudo like unix su or unix sudo with regard to the credentials you enter? Can you limit the user to only certain commands?

[-] Aatube@kbin.social 1 points 9 months ago

It brings up a UAC prompt, so any admin's credentials ig

[-] OmnipotentEntity@beehaw.org 2 points 9 months ago

So it's su then, not sudo.

[-] Aatube@kbin.social 2 points 9 months ago

(this is the maintainer)

[-] Penguincoder@beehaw.org 6 points 9 months ago

Exactly. Windows already has this functionality with runas and this implantation doesn't improve on it at all.

[-] Aatube@kbin.social 6 points 9 months ago

It's more complicated than that. It seems to be able to configurably block user input for sudo'd commands, retain the existing environment, ditch it and open a new window, and remember that you've sudo'd in the last minute or so.

[-] TxzK@lemmy.zip 5 points 9 months ago

Classic Microsoft. Just change the look and be done with. No need it to actually improve the internals.

[-] LallyLuckFarm@beehaw.org 10 points 9 months ago

Sudo on windows...

[-] reddthat@reddthat.com 2 points 9 months ago

I've been using Sudo for years.

  • install scoop
  • scoop install sudo
[-] venia_sil@fedia.io 1 points 9 months ago

sudo format /q c: && apt install debian

Nice!

[-] nothacking@discuss.tchncs.de 1 points 9 months ago* (last edited 9 months ago)

This would be real nice if this let you easly run commands as SYSTEM or TrustedInstaller from a script, not just as Admin. Not only can Admin be reached from the "Run as Admininstrator" menu option, is actualy quite limited for messing around with system files. For the most part, Admin lets you mess with system settings/registry, and user files, but not with a lot if system/application files without TAKEOWNing everything.

this post was submitted on 11 Feb 2024
41 points (100.0% liked)

Technology

37717 readers
381 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS