Sudo on windows

TheCakeIsNaOH · February 20, 2020, 2:55am

I have recently found this, it is a sudo for windows. Does anyone else use this or a similar tool? Any thoughts on security implications?

Post inspired by the significant amount of discussion here-

Disabling UAC Because It Doesn't Provide Real Security Windows

The context of the original post is the following posted earlier: In other words by following the above outlined installation workflow, a lot of common windows problems can be solved, like missing library errors. It should be obvious why UAC should be disabled for the initial system setup, especially given that the initial setup tends to be done in an administrator level account which subsequently requires numerous deliberately-administrative changes to the system. Being prompted every few seconds to install 10+ libraries, dozens of programs etc is not productive and UAC actually pauses many installers for an extended period lengthening the time initial setup takes unnecessarily, and pointlessly. But what about after initial setup? Should UAC should be left disabled or get enabled again? Does it cause more “small windows problems” or does it create them? If the security benefits of UAC are worth it, then despite any small programs it creates, then it can be worth it in some environments. Read the discussion before posting. Context is important you know? The false sense of “security” that UAC provides was discussed in detail above with both reputable sources and examples of how to bypass it provided. Using UAC while logged on in an administrative account is especially pointless, only creating lots of small windows problems, while having -zero- positive impact on os or user data security. UAC can makes sense to enable to use the “run-as” functionality of it when combined with a standard user account for day-to-day operations, granted that doing so will continue to cause UAC related small windows problems. If the user understands the myriad of small windows issues caused by leaving UAC enabled, then then this configuration is not too bad, depending on the user. As a security conscious user, I would rather use thick VMs with UAC disabled since doing so mitigates most small windows problems while also isolating malicious software (including randomware) from user …

GigaBusterEXE · February 22, 2020, 2:43am

Woah it’s the guy

Gerardo_G · February 22, 2020, 3:16am

Hi @TheCakeIsNaOH! I am the author of gsudo.
I’m glad that people are finding the tool and using it!

Regarding the security of using the tool. I am writing a wiki page about it, but haven’t finished yet.
But in short, there are 4 security considerations regarding any sudo for windows implementation.

The first one is the most obvious. Do you trust the publisher? (me!). Trust is hard to earn. The code is online for you to read/audit/build locally. I am code signing the release builds. You may also download unsigned builds from appveyor.

The second one is user isolation:

Microsoft has decided to secure Windows by isolating different Integrity levels. You are normally running under medium integrity. When you accept an UAC popup, you are opening a High Integrity process/window. Because of how windows is designed, processes can communicate with other with very little limits, i.e. one process can manipulate objects, mouse, read screen, key presses from other processes, but only if they are running with same or lower integrity level. Therefore Windows Vista introduced UAC, and since then there is an ‘isolation’ between admin and non-admin processes.

Any sudo for windows that runs in the same console (not opening a new console for the elevated processes) is breaking that isolation. So if you have a virus, it could potentially read the screen or send keys to gsudo. That is the risk that you wouldn’t normally have by running as admin in a different window. BTW, you can use -n as in gsudo -n command to elevate in new window and that preserves the isolation.

Would you accept the risk? Linux users do: On Linux you can attach a debugger to other console with an active sudo session and do the same. Linux users accept the risk. For example echo Hi > /dev/ttyX sucessfully injects text on a tty even if it’s running sudo.

On Windows, you are already accepting the risk if you are using elevated tabs on Cmder/ConEmu, or opening a remote ssh root@server on a non-elevated window.

Also there are maybe a hundred hacks to bypass UAC. There has been a lot of discussion about this. Even Mark Russinovich (from Microsoft) stated once that UAC “is not a security barrier” meaning that Microsoft is not patching all the discovered hacks to bypass UAC. You may be already at risk again.

But since Microsoft is in the spotlight, has decided not to endeavor in a sudo command, since it breaks their own isolation, and any hacks may hit headlines and hurt the company.

Gerardo_G · February 22, 2020, 3:44am

(Sorry I accidentally pressed enter and my comment was posted too soon)

Third is the Credentials Cache: I mean the gsudo feature that allows to run multiple commands (within a same session) with only one UAC pop-up. The name is a little misleading since no credentials are stored anywhere, it’s that the elevated gsudo process stays active in case you need to elevate again for 5 minutes. And although there are protections built-in, (only same gsudo binary, same user, same process id), it’s very hard to give a 100% guarantee that it can’t be hacked. You can disable this convenience-feature with gsudo config CredentialsCacheDuration 0 and an UAC popup will appear on each invocation.

Fourth, is unknown bugs, but is kind of a mix of the 2nd and 3rd items.

For the upcoming 0.7 release I am focused on security tightening and a few new features.

I am trying to be totally open about the security implications that gsudo users are optin-in, I will upload the security implications docs to the repo as soon as I finish 0.7 and the write-up.

If you find an issue, bug, vulnerability, please create an issue on the repo!
Thanks!

EDIT:

LOL, yes, I found a lot of downloads today and wondered why, so googled and found this post with a really good question. Created a user here on level1techs and started answering to find out that the enter key submits the answer without confirmation (WAT)… clicked delete… and “(post withdrawn by author, will be automatically deleted in 36 hours unless flagged)”… yikes… embarrasing!

Great! I would love to have a conversation. But only when my ‘new user limits’ expires. I can only add 3 replies on this post, and I already did.

disarrayer · February 22, 2020, 3:57am

That cracked me up

Hi! Welcome to the forum and thanks for providing more info on your tool. I think you came to the right place for testers

TheCakeIsNaOH · February 22, 2020, 4:25am

Thank you for your detailed response.

I think this is why the new windows terminal does not have an option for opening a new tab as admin.

Hmm, this sounds like this is an area to poke at for security. The internals page details sounds reasonable.

GigaBusterEXE · February 22, 2020, 5:01am

I expedited you to the next level (I think)

I’m one of the mods here, welcome to the forum

Dynamic_Gravity · February 22, 2020, 5:10am

@gnif we found you a new friend

gnif · February 22, 2020, 5:43am

@Dynamic_Gravity at least @Gerardo_G understands what UAC is and can & can’t do

And welcome @Gerardo_G

Mastic_Warrior · February 24, 2020, 8:11am

@Gerardo_G Welcome to the forvm. I don’t use MS Windows anymore except for at work. I would be willing to spin up a Windows 8.0 VM (the only MS Windows I have a license for) to test things out.