New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support sudo <PowerShell cmdlet> #3232
Comments
Hum! Very interesting. But, I think the actual behavior is as expected. As in Windows we don't have a command like sudo. I would only use 'sudo' on Linux commands ("sudo nautilus") from within PowerShell. :) |
Even on Windows, it would be good to have similar capability to run a cmdlet as another user or elevated and something that could relied on in portable scripts. May need an RFC for this. |
This functionality would be useful to work around #3506. |
This is going to become a blocker for adapting Linux for me if this is not resolved. We are not allowed to sudo bash and similarly will not be able to do sudo powershell. I agree with Maximo, we should leave sudo to bash and make a new cmdlet for doing elevation in powershell using sudo as scaffolding on expected functionality. |
@dantraMSFT has been investigating this, Dan can you provide an update on some current thinking for this? |
@pixelrebirth Can you provide more detail as to what you expect? Are you expecting simple execution with a wait, output redirection or pipeline redirection? |
@dantraMSFT For sake of the argument I am going to call the new sudo like cmdlet: Invoke-Elevated
In this example, everything in the scriptblock would be executed elevated and then piped to a NON elevated Get-SomeCmdlet Logging should be enabled, by default for instances where Invoke-Elevated is executed: Maybe some of this gets extended or changed later, but this is what would remove my blockers |
It should also work like:
Get-ChildItem is NON elevated, Remove-Item is elevated in this example |
I was on the community call today asking about this, but my wife got hurt during the explanation of the challenges for it and I missed a lot of it. Can you please put notes here so I can relay them to my boss? I will help however possible and put pressure wherever I need to. |
@pixelrebirth hope she's okay! We'll be putting up a recording of the call in the next day or two, so you can catch up if you like. Basic summary is that @dantraMSFT is doing an initial investigation to figure out how to do this in a non-hacky way. Today, you can @dantraMSFT : as you work through your investigation, maybe post some status to make sure that everyone understands the tradeoffs with different approaches? |
It may seem obvious, but maybe take a look at the sudo source code and see how they manage it-- maybe it requires some low level coding. I wish I had a deeper code understanding to help. She is okay, she feel on her surgery hip. Thanks for the fast response on this. I am working on a little hack work around I will post here if I pull it off. |
Most attacks target local elevation. So all configs is "secure by default". WMI, WinRM, IIS loopback and etc - all subsystems disable features which allows local elevations.
We should have the same UX for all platforms. Really there PSRP works over a transport - WinRM or SSH. MSFT said that they like SSH but I do not see any noticeable progress over the past two years. And it's unbelievable that they will want a third protocol in the near future - too much work (the need to maintain compatibility with old systems). |
I tried to enable that a while ago, and I was told repetitively by many others that this is restricted by the os internally and it is not possible in any way without an application hooking deep into windows internals. In fact many have pointed at the above referenced windows api restrictions and used that as argument for why powershell could never provide such capability. And someone even referenced an CVE where loopback elevation was intentionally removed. Therefore apologies going down that rabbit hole a bit deeper, but what do I need to configure for it to work? Is that even documented anywhere?
Well than we should push forward either of both solutions as both work on any platform.
Therefore as powershell remoting is already there (and also kinda works over ssh already) we should prioritize that solution I think. |
I cannot confirm. I guess the CVE could just disable loopback by default but not at all. |
@iSazonov: That does not work, it only provides the low privilege access token but not the elevated access token (e.g. But I now tried it also using SSH and that works as expected it provides the elevated token ( Therefore in PSCore we can rely upon psrp for elevation (even locally through |
@agowa338 I think we should not discuss bypassing security features of WinRM here (it is compliance sensetive area). I can only indicate (1) that regardless of a protocol, security should remain at the same level, which implies that SSH loopback should behave the same as for WinRM taking in account how Windows internals work, (2) PS sudo implementation should works over any transport. |
@iSazonov: I did not ask for an exploit, but only for what needs to be configured to enable it. Also you seam to be the only one that figured out how to configure WinRM in order to allow loopback elevation.
What do you mean with that?
Well SSH has a system service that acts as a broker in the background to do exactly that. It provides a Network access token...
Well it does not over WinRM for exactly that reason. So if it is true what you said we need documentation for how to enable loopback WinRM. |
@agowa338 MSFT team asked me do not discuss security publicly and I follow the CoC. I support your desire to explore this topic deeply, but as part of this discussion, this is a headache for MSFT how to integrate this solution into Windows and keep security compliance. |
Well that does not help anyone. To summon it up:
Sorry, but that sounds like a backdoor and not a feature. It is unusable for anyone except you than. So we're back at it's currently not implemented and we need a broker service than... |
@agowa338 We have gathered enough information for MSFT team to conclude. If they find security issues, they will show us an acceptable alternative way. |
It was possible but was patched earlier this year https://devblogs.microsoft.com/powershell/windows-security-change-affecting-powershell/ with the patch KB4480116 and any subsequent cumulative updates.. Before this update it was possible to elevate your privileges if you have the LocalAccountTokenFilterPolicy set to 1 which is what There's a note there saying JEA endpoints are not affected so potentially you could create your own PSSessionConfiguration and connect to that but I haven't tested this to verify. Personally I think this patch is silly as this patch just stops the PowerShell client from connecting to localhost but you can easily bypass it if you know what you are doing. For example I can still go from limited to elevated without touching UAC by using SSH or another PSRemoting client like so
We can see that using SSH we have an elevated token, we can also see that using a 3rd party library we can still use localhost PSRemoting that creates an elevated token and that the patch is not a total block of this functionality. I don't see this as a security issue or crossing a security boundary as MS has repeatedly said that UAC is not a security boundary
It might be close or act similar to one but it is not foolproof. One of those ways of bypassing UAC is the known and documented
Ultimately what that means is there is no really official way on Windows to elevate your privileges from limited to an admin in a non-interactive fashion. It's quite simple to use
|
@iSazonov None of these suggestions will accomplish a user-interactive command elevation from within the same console session, especially in an environment that lacks UAC. It appears that you can speak on behalf of Microsoft in these matters, so would you clarify whether they are simply not interested in in introducing such a feature as I have described it? If that is the case, as I have interpreted from the above posts, it seems prudent to close this thread, as the rest of us users will have to look elsewhere for solutions such as @parkovski's TokenServer idea. |
I am a community maintainer of the project, not MSFT member and I can not speak on behalf of Microsoft.
All proposals have value; none of them are rejected. The discussion is just for collecting all possible proposals. Currently I am trying to summarize all proposals so that we can move forward and not stagnate. That I see.
So expectations are:
Implementation details:
@mklement0 I wonder that I do here that you do usually great :-) You rob me of being an opponent :-) |
Why not write an windows binary that requires privileges that starts a powershell instance with whatever commands passed to it. It would have to be a console mode app to work properly. Then for linux, we write a script that requires permissions that starts a powershell instance with the commands provided. If this works in practice like it does in theory, powershell will be launched with elevated permissions, runs the commands and exits. |
Cause the windows API prevents that and the console app would open in a new window. We already talked about possible workarounds. |
One thing to keep in mind is that no matter how this gets implemented, there is always a process hop to and from an elevated process. This means that you'll always have deserialized objects in the pipeline and those limitations will apply. In many cases, this won't be an issue, but if a cmdlet expects a live .NET object, then it won't work. To support JEA with SSH, we would eventually need a generalized daemon/service that replaces the need for WinRM as that service anyways. At that time, we would evaluate using that to elevate a part of the pipeline. |
FYI: https://github.com/gerardog/gsudo
|
Even better
|
No. Gsudo doesnt prompt for password each time and is noticebly faster to install and use. |
It looks to me that this issue should be accepted (which means some more time and organization should be given to it) judging from the interest not only from this ticket. Its not correct not to officially recognize it as a work task as currently perceived technical difficulties are not going to be solved without active involvement. I am using gsudo for a few months now and I can't imagine going back to traditional Windows UAC all the time horror. |
@majkinetor this issue got spun off in #11343 to further discussion on the design |
Is there an update for this feature request? The last referenced Ticket #11343 was already marked as done a while ago. |
With Windows supporting sudo now (in Insiders) as first class citizen, this will allow at least wrap-around functionality: https://devblogs.microsoft.com/commandline/introducing-sudo-for-windows/
|
Only client versions of windows. What is with servers? |
This issue goes back 7 years, so I may have missed somebody sharing this already, but in case it hasn't, here it is. It seems that #!/usr/bin/env pwsh
$Env:SHELL = '/opt/microsoft/powershell/7/pwsh'
$source = /tmp/file.csv
$dst = /home/user/tmp/file.csv
sudo -s Move-Item -Path $source -Destination $dst -Force However, if I append
So this kinda works for using |
Steps to reproduce
sudo Remove-Item foo.txt
where foo.txt is owned by rootExpected behavior
foo.txt
is deletedActual behavior
sudo: Remove-Item: command not found
The text was updated successfully, but these errors were encountered: