There's also a "sudo" for windows distributed as a chocolatey package that I've used for at least a year. Appears to do pretty much the same thing as this one.
I've always been annoyed by the lack of ability for certain things to elevate as needed. Why doesn't Notepad offer to let you elevate when you try and save the hosts file?
I can't count how often I relaunch Command Prompt to Run as Admin.
But I'm hesitant to use a third party tool here, I really wish Microsoft just dealt with this properly.
And if we go by "standard across all * nix variants", outside of base POSIX (if even that), nothing is really standard across all * nix variants. There's no way "standards across all * nix variants" can compete with Microsoft's APIs available across, say, 90% of their installed user base.
Which is why developers that actually care about the whole desktop experience setttle on OS X and Windows.
Developers that are fine with xmonad and CLI, settle for a POSIX experience, making such APIs like PolicyKit barely used, because portable UNIX applications don't adopt them.
Yeah, I'd really like to see MS implement some method for applications to automatically request elevation when they try to do something that they otherwise wouldn't be allowed to.
Also, not sure why you've received two replies, that are - as far as I can see, completely irrelevant to what you've written; it's bizarre.
Is it really sudo? Does it remember credentials somewhere for a limited time and across the whole system? If so, I cant see a way to implement it securely if you're not MS.
This solves a real problem and it works great. There's no horrible issue with getting a UAC dialog every time you do a sudo command. After all, in Windows (for better or worse) you need to be Administrator for less stuff.
I'm guessing it spawns a persistent elevated process that processes commands passed to it by 'sudo' and that exits after a while when idle. No credentials need to be stored anywhere.
You can call 'runas' via an API at code level that allows you to specify a password. There's quite a few tools out there that do it. I used to host mine on my website but it caused all those website classification systems to classify my domain as 'hacking tools' so I had to remove it. :(
RunAs.exe only allows you enter a password interactively. If you want to elevate with RunAs in a script and pre-specify the password[1], you can't do it.
--
[1] Yes, I know this is awful security, but sometimes you have no choice.
RunAs always asks for password for the Administrator account (not the account for the delegated account like sudo). I have admin access to my work PC, but not the Administrator password (since UAC grants me access). Also, running elevated programs always in separate windows, so you can't redirect their input/output. And CLI program disappear instantly (no time to read the output).
In windows you can assign admin access to any account if you wish, kind of like sudo in unix. "Administrator" is a special account, basically like root in unix.
Yes, but you need the password then. With admin priviledges you can run "as admin" without needing to know the password. The privileged account still runs programs in normal mode (unprivileged), but can launch programs with elevated permissions.
The dialog has been designed in a way so that’s almost impossible to press by accident, nor programmatically.
Specially dimmed background, characteristic sound, the dialog runs on a dedicated desktop i.e. you won’t see any apps nor the start menu. Also the default button is No i.e. you can’t accidentally press Yes with enter or space keys, you have to use a mouse.
I'm author. I added this because I want to write hosts file with ":w !sudo tee %" from gvim.exe on Windows. But most of implementations doesn't work for this.
I literally wrote something identical just over a week ago; even called it sudo as well. Mine's in .NET as a little EXE. It's about 10 lines of code. I am not dissing this effort though. Far from it. Open Source is cool.
It's annoying that you still have to navigate the UAC dialog though - not sure how to get around that, without compromising security.
For those talking about right-click on the EXE... If you live in the command prompt, having to reach for the mouse just to elevate is irritating as hell.
It's obviously how I word things... :( Why are you focusing on my '10 lines' comment? It's not a competition. I only stated the line amount as it's quite a trivial problem to solve, but as others have asked - why is it not a command by default in Windows?
> The main point of sudo is that it eliminates the need to enter the password for a while.
I disagree, that's just an additional feature of it. The main point is that you can carry out admin tasks from an otherwise more restricted environment, so you only elevate your power when necessary. Otherwise, users might be tempted to always run whole sessions as an admin/root for convenience.
This is very cool but as someone who's not a pro with Windows API or powershell, how safe is this thing assuming a user-space process has been hijacked by an attacker?
Yes, If any malicious program is running in user land in windows, it can easily bypass UAC. But, as was mentioned when this was being discussed on reddit[0], UAC was never meant to be a fix-all security boundary.
I read the code. I don't make sure but AFAIS, elevate doesn't handle stdin/stdout/stderr, can't pass environment variable correctly. After set FOO=bar, the process can't read FOO. etc.
If you're at the command line anyway, Powershell is nearly always a better choice, and it has that covered also. See TokenDiversity 's comment, or use a simple function or use Invoke-Elevated from an installable package. E.g. https://stackoverflow.com/questions/1566969/showing-the-uac-...
Or if you know the admin account you could use something like
Invoke-Command -ScriptBlock { ls } -ComputerName $env:COMPUTERNAME -Credential (Get-Credential)
Not if I want resemblance with Bash-like shells. I guess that's also the point of this: Most people already know sudo from Linux and cmd.exe, now they can use both together.
20 year bash user and recent Powershell convert here. Powershell has proper things like profiles and aliases, cool stuff like being able to cd and rm the Environment and Registry keys like files. cmd has none of those.
(Plus powershells structured output so you can use 'where' and 'select' and 'get-member' rather than scraping with regexs. )
But why saddle myself with a registry? I just don't see the need. Also, basic stuff like tab completion and so forth just doesn't exist in Powershell, copying/pasting is a nightmare, and it has its own syntax tomfoolrey like opening Internet Exploder when I just wanna download a damn file via CLI!
It isn't that hard to build a decent shell, if zsh can do it, why can't MS put a few decent interns on it and get their act together? I feel like I'm knocking skulls together whenever I end up talking Powershell with someone from across the lake here in Seattle, this stuff isn't all that difficult!
Because you are just used to the way how bash/zsh works and Powershell is superior to any of the shells mentioned.
I am a "recent" powershell convert (started 1y ago) and this different paradigm feels now more natural than traditional text parsing.
Wow, way to completely ignore the question. Saying "its better" without even responding to the glaring unresolved errors by MS I highlighted is totally pointless.
Your comment successfully added nothing of value to this HN thread, besides showing your lack of ability to string together a coherent and logical reply, good jerb!
Quiet the contrary to be honest. Calling MS tech names and dismissing the great work of those that created PS is just a sign of immaturity or simply an OSS zealotry.
Your bashing of PS either comes from ignorance or you simply did not invest enough time to learn the technology.
Tab completion and copy/pasting works flawlessly in powershell..you can even pipe to clip and have it in your clipboard.
Downloading a damn file from internet is one of the simplest things you can do in PowerShell (and imho more pleasant than gluing wget/curl in your scripts).
Bashing the syntax is totally unfair as it's a different paradigm.
I tried approximately a year ago to figure out Powershell, other people in this thread have said "Oh, install all these things to clean it up, here are only a handful of them, have fun" which is pretty useless.
I don't want to have to spend my time installing a bunch of crap on each Windows box I touch, it either has sane defaults and is usable from the get go, or I'm polishing a turd.
As the powershell advocate I get where you're coming from. Half the stuff in PSCX should be there by default, as should a damned tabbed terminal (ComEmu and Hyper both have serious issues right now). At least Microsoft is working on the latter.
I share your enthusiasm about PS, and yes I personally like e.g. it's object piping way more than plain text piping and sometimes error-prone parsing in *nix, but calling it 'superior' is maybe a bridge too far. Above all, it's just different.
It's like comparing Word to TeX. Word presentation is usually content. In TeX they're separate. From that point of view you could reasonably argue that powershell is superior.
Also, basic stuff like tab completion and so forth just doesn't exist in Powershell, copying/pasting is a nightmare
Sorry but this just sounds like you don't know PS well enough. Run it under ConEmu, install PSReadline, PsFzf and a bunch of other goodies and those problems are gone. I'm not saying it's obvious, but there's enough tutorials out there for getting you up and running.
opening Internet Exploder when I just wanna download a damn file via CLI!
I'm not gonna install a million plugins to fix Powershell, what incentive do I have? At this point Windows is a rapidly dying platform in Point of Sale, with SLES having fully replaced it in nearly every major US grocer.
Nearly every interaction I have had with Powershell in the past 3 years has left me sad, angry, and frustrated. Building a decent shell isn't a monumental task, and I don't get why the occasional Windows box I touch is always a mess wrt Powershell.
It's not GNU wget, wget is aliased to PowerShell's Invoke-WebRequest. I should have shown that command probably.
You don't have to install plugins, tab completion etc works out of the box, copy/paste as well but in a not too handy way, I was just suggesting how to make it better. Then again, I have yet to meet a shell and OS which has all tools I want out of the box so for me the 'I down't want to install stuff' point is moot. Though if it's not for you, that's fine but you might get stuck at times.
Nearly every interaction I have had with Powershell in the past 3 years has left me sad, angry, and frustrated.
That is certainly possible, but isn't that just the result of not knowing it well enough? I mean, I've felt the same when first learning bash years ago. I quickly figured it mostly wasn't because of bash, but rather my lack of knowledge and/or trying to do things my (conceived 'proper') way instead of the bash way.
> cool stuff like being able to cd and rm the Environment and Registry keys like files. cmd has none of those
Emblematic of what's wrong with the Powershell (or perhaps MS as a whole) philosophy: you don't build this functionality into a shell, you build a file system module (you'd do it with FUSE if on Linux) that "mounts" the registry as a bunch of files. Then you could edit it in any shell or text editor, or even in a GUI file manager and GUI text editor if you wanted to.
By adding extra complexity to a shell command instead of offloading the process to small programs with a defined api?
I can see a lot more maintainability and portability of a implementation using FUSE to mount these systems as filesystems (so the abstraction is complete across the entire system instead of just in the command). Also the ease of having a abstraction which does not require special capabilities to be added to a program before it is useful is a reason that no system has properly supported these models before in this manner. On a UNIX system the same techniques could of been implemented sometime between the 70's and now to interact with environment variables and it has probably been implemented before but it has not gained mindshare as that approach is not scalable.
It's good enough for the few times I use Windows. For example stuff like
make && ./output
works. Git works from it. Also with clink (https://mridgers.github.io/clink/ ) it becomes even more similar. But you're right: For the times where you need more, you should fire up MSYS2 for example.
73 comments
[ 1.7 ms ] story [ 120 ms ] threadalias sudo="cygstart --action=runas"
https://chocolatey.org/packages/Sudo
I can't count how often I relaunch Command Prompt to Run as Admin.
But I'm hesitant to use a third party tool here, I really wish Microsoft just dealt with this properly.
2 - Select Run As...
1. Launch Notepad.
2. Open etc\hosts (within the bowels of C:\Windows).
3. Edit the file.
4. Try to save.
5. Profit?!? No, fail!
And if we go by "standard across all * nix variants", outside of base POSIX (if even that), nothing is really standard across all * nix variants. There's no way "standards across all * nix variants" can compete with Microsoft's APIs available across, say, 90% of their installed user base.
Developers that are fine with xmonad and CLI, settle for a POSIX experience, making such APIs like PolicyKit barely used, because portable UNIX applications don't adopt them.
Also, not sure why you've received two replies, that are - as far as I can see, completely irrelevant to what you've written; it's bizarre.
(and it would spare two key strokes ;)
`Start-Process <stuff> -verb RunAs` does the same
This solves a real problem and it works great. There's no horrible issue with getting a UAC dialog every time you do a sudo command. After all, in Windows (for better or worse) you need to be Administrator for less stuff.
For those without much Windows GUI-fu, shift-right click.
--
[1] Yes, I know this is awful security, but sometimes you have no choice.
Wait, then where does the whole UAC thing comes from??
RunAs always asks for password for the Administrator account (not the account for the delegated account like sudo). I have admin access to my work PC, but not the Administrator password (since UAC grants me access). Also, running elevated programs always in separate windows, so you can't redirect their input/output. And CLI program disappear instantly (no time to read the output).
I have used elevate.exe (http://code.kliu.org/misc/elevate/) but sudo seems even better (supports redirecting input/output).
I am not sure if I understand this. Does the machine have two different admin accounts, once of which you have access to?
Sounds dangerous to me.
Specially dimmed background, characteristic sound, the dialog runs on a dedicated desktop i.e. you won’t see any apps nor the start menu. Also the default button is No i.e. you can’t accidentally press Yes with enter or space keys, you have to use a mouse.
I'm author. I added this because I want to write hosts file with ":w !sudo tee %" from gvim.exe on Windows. But most of implementations doesn't work for this.
It's annoying that you still have to navigate the UAC dialog though - not sure how to get around that, without compromising security.
For those talking about right-click on the EXE... If you live in the command prompt, having to reach for the mouse just to elevate is irritating as hell.
Does your "something identical in 10 lines" do that?
I disagree, that's just an additional feature of it. The main point is that you can carry out admin tasks from an otherwise more restricted environment, so you only elevate your power when necessary. Otherwise, users might be tempted to always run whole sessions as an admin/root for convenience.
0: https://www.reddit.com/r/netsec/comments/6e1uft/a_poc_demons...
http://code.kliu.org/misc/elevate/
Or if you know the admin account you could use something like
Not if I want resemblance with Bash-like shells. I guess that's also the point of this: Most people already know sudo from Linux and cmd.exe, now they can use both together.
(Plus powershells structured output so you can use 'where' and 'select' and 'get-member' rather than scraping with regexs. )
It isn't that hard to build a decent shell, if zsh can do it, why can't MS put a few decent interns on it and get their act together? I feel like I'm knocking skulls together whenever I end up talking Powershell with someone from across the lake here in Seattle, this stuff isn't all that difficult!
Your comment successfully added nothing of value to this HN thread, besides showing your lack of ability to string together a coherent and logical reply, good jerb!
Your bashing of PS either comes from ignorance or you simply did not invest enough time to learn the technology. Tab completion and copy/pasting works flawlessly in powershell..you can even pipe to clip and have it in your clipboard. Downloading a damn file from internet is one of the simplest things you can do in PowerShell (and imho more pleasant than gluing wget/curl in your scripts). Bashing the syntax is totally unfair as it's a different paradigm.
I don't want to have to spend my time installing a bunch of crap on each Windows box I touch, it either has sane defaults and is usable from the get go, or I'm polishing a turd.
With that I learned to live with somewhat crappy terminal. Other than that I do not see anything that I would need.
Sorry but this just sounds like you don't know PS well enough. Run it under ConEmu, install PSReadline, PsFzf and a bunch of other goodies and those problems are gone. I'm not saying it's obvious, but there's enough tutorials out there for getting you up and running.
opening Internet Exploder when I just wanna download a damn file via CLI!
Again, seems like you are doing it wrong:
>wget news.ycombinator.com --2017-06-15 03:04:37-- http://news.ycombinator.com/ Resolving news.ycombinator.com (news.ycombinator.com)... 104.20.44.44, 104.20.43.44
I'm not gonna install a million plugins to fix Powershell, what incentive do I have? At this point Windows is a rapidly dying platform in Point of Sale, with SLES having fully replaced it in nearly every major US grocer.
Nearly every interaction I have had with Powershell in the past 3 years has left me sad, angry, and frustrated. Building a decent shell isn't a monumental task, and I don't get why the occasional Windows box I touch is always a mess wrt Powershell.
You don't have to install plugins, tab completion etc works out of the box, copy/paste as well but in a not too handy way, I was just suggesting how to make it better. Then again, I have yet to meet a shell and OS which has all tools I want out of the box so for me the 'I down't want to install stuff' point is moot. Though if it's not for you, that's fine but you might get stuck at times.
Nearly every interaction I have had with Powershell in the past 3 years has left me sad, angry, and frustrated.
That is certainly possible, but isn't that just the result of not knowing it well enough? I mean, I've felt the same when first learning bash years ago. I quickly figured it mostly wasn't because of bash, but rather my lack of knowledge and/or trying to do things my (conceived 'proper') way instead of the bash way.
Emblematic of what's wrong with the Powershell (or perhaps MS as a whole) philosophy: you don't build this functionality into a shell, you build a file system module (you'd do it with FUSE if on Linux) that "mounts" the registry as a bunch of files. Then you could edit it in any shell or text editor, or even in a GUI file manager and GUI text editor if you wanted to.
I can see a lot more maintainability and portability of a implementation using FUSE to mount these systems as filesystems (so the abstraction is complete across the entire system instead of just in the command). Also the ease of having a abstraction which does not require special capabilities to be added to a program before it is useful is a reason that no system has properly supported these models before in this manner. On a UNIX system the same techniques could of been implemented sometime between the 70's and now to interact with environment variables and it has probably been implemented before but it has not gained mindshare as that approach is not scalable.