Return to Level1Techs.com

Sudo on windows

I have recently found this, it is a sudo for windows. Does anyone else use this or a similar tool? Any thoughts on security implications?

Post inspired by the significant amount of discussion here-

4 Likes

Woah it’s the guy

Hi @TheCakeIsNaOH! I am the author of gsudo.
I’m glad that people are finding the tool and using it!

Regarding the security of using the tool. I am writing a wiki page about it, but haven’t finished yet.
But in short, there are 4 security considerations regarding any sudo for windows implementation.

The first one is the most obvious. Do you trust the publisher? (me!). Trust is hard to earn. The code is online for you to read/audit/build locally. I am code signing the release builds. You may also download unsigned builds from appveyor.

The second one is user isolation:

Microsoft has decided to secure Windows by isolating different Integrity levels. You are normally running under medium integrity. When you accept an UAC popup, you are opening a High Integrity process/window. Because of how windows is designed, processes can communicate with other with very little limits, i.e. one process can manipulate objects, mouse, read screen, key presses from other processes, but only if they are running with same or lower integrity level. Therefore Windows Vista introduced UAC, and since then there is an ‘isolation’ between admin and non-admin processes.

Any sudo for windows that runs in the same console (not opening a new console for the elevated processes) is breaking that isolation. So if you have a virus, it could potentially read the screen or send keys to gsudo. That is the risk that you wouldn’t normally have by running as admin in a different window. BTW, you can use -n as in gsudo -n command to elevate in new window and that preserves the isolation.

Would you accept the risk? Linux users do: On Linux you can attach a debugger to other console with an active sudo session and do the same. Linux users accept the risk. For example echo Hi > /dev/ttyX sucessfully injects text on a tty even if it’s running sudo.

On Windows, you are already accepting the risk if you are using elevated tabs on Cmder/ConEmu, or opening a remote ssh [email protected] on a non-elevated window.

Also there are maybe a hundred hacks to bypass UAC. There has been a lot of discussion about this. Even Mark Russinovich (from Microsoft) stated once that UAC “is not a security barrier” meaning that Microsoft is not patching all the discovered hacks to bypass UAC. You may be already at risk again.

But since Microsoft is in the spotlight, has decided not to endeavor in a sudo command, since it breaks their own isolation, and any hacks may hit headlines and hurt the company.

7 Likes

(Sorry I accidentally pressed enter and my comment was posted too soon)

Third is the Credentials Cache: I mean the gsudo feature that allows to run multiple commands (within a same session) with only one UAC pop-up. The name is a little misleading since no credentials are stored anywhere, it’s that the elevated gsudo process stays active in case you need to elevate again for 5 minutes. And although there are protections built-in, (only same gsudo binary, same user, same process id), it’s very hard to give a 100% guarantee that it can’t be hacked. You can disable this convenience-feature with gsudo config CredentialsCacheDuration 0 and an UAC popup will appear on each invocation.

Fourth, is unknown bugs, but is kind of a mix of the 2nd and 3rd items.

For the upcoming 0.7 release I am focused on security tightening and a few new features.

I am trying to be totally open about the security implications that gsudo users are optin-in, I will upload the security implications docs to the repo as soon as I finish 0.7 and the write-up.

If you find an issue, bug, vulnerability, please create an issue on the repo!
Thanks!

EDIT:

LOL, yes, I found a lot of downloads today and wondered why, so googled and found this post with a really good question. Created a user here on level1techs and started answering to find out that the enter key submits the answer without confirmation (WAT)… clicked delete… and “(post withdrawn by author, will be automatically deleted in 36 hours unless flagged)”… yikes… embarrasing!

Great! I would love to have a conversation. But only when my ‘new user limits’ expires. I can only add 3 replies on this post, and I already did.

3 Likes

That cracked me up :smiley:

Hi! Welcome to the forum and thanks for providing more info on your tool. I think you came to the right place for testers :wink:

3 Likes

Thank you for your detailed response.

I think this is why the new windows terminal does not have an option for opening a new tab as admin.

Hmm, this sounds like this is an area to poke at for security. The internals page details sounds reasonable.

I expedited you to the next level (I think)

I’m one of the mods here, welcome to the forum

4 Likes

@gnif we found you a new friend

5 Likes

@Dynamic_Gravity at least @Gerardo_G understands what UAC is and can & can’t do :slight_smile:

And welcome @Gerardo_G :smiley:

4 Likes

@Gerardo_G Welcome to the forvm. I don’t use MS Windows anymore except for at work. I would be willing to spin up a Windows 8.0 VM (the only MS Windows I have a license for) to test things out.

2 Likes