I've been working on this for the last few months now and I'm pretty excited to talk about it or answer any questions!
Alternatively, a stern yet extremely polite mail from Raymond Chen asking what you were actually trying to accomplish.
Probably some MS server =|
Does this elevate within your own account token (i.e. will not work for non-Administrator users), or does it actually switch user (e.g. to LOCAL SYSTEM)?
> Enable Sudo
> Enables the sudo command
If I were a scammer I could make up an acronym or something that sudo means and trick someone into turning this on because the toggle doesn't actually describe what it is so I can just weave my own narrative.
While I understand picking a familiar name, sudo is certainly not the only player, there's also doas. This shows people can adapt to another name and another name would have seemed more appropriate.
edit: whoops, it was already mentioned in this thread [3]
[1] https://daniel.haxx.se/blog/2016/08/19/removing-the-powershe...
Linux users can experience this now by using sed on macOS
It's hard to imagine a company that size would name it so deliberately without realizing it would cause confusion in search engine results and such.
A good faith assumption would be they wanted to make Windows more familiar to users of both but it also means that Windows will get mentioned in more Linux results over time to disambiguate it.
embrace (copy sudo), extend (add incompatible options), extinguish
Just scrolling through the documentation [1] gives some idea. Examples in the end may surprise the reader with the variety of capabilities.
[1]: https://www.man7.org/linux/man-pages/man5/sudoers.5.html
Or does runas work differently than I thought?
https://learn.microsoft.com/en-us/windows/sudo/#how-is-sudo-...
If the elevation prompt would show the elevated executable and not the wrapper, that would be news...
Reminds me of when PowerShell decided to have "wget" and "curl" cmdlets that didn't have any of the advanced features of the originals. Naively it sounds helpful. But it introduces confusion.
I would love to see a tighter integration of winget into Windows. I recently used a fresh MS Windows Server 2023 installation and had a bad day to even get winget installed.
I really hope that the current strategy does not turn out as somewhere between "embrace" and "extend"...
Powershell is a super neat language though.... especially if the Microsoft team that manages it would work more with the team that does more for SMEs and not just DevOps. The overwhelming majority of windows users doing regular business work have to deal with crufty stuff like VBA or over engineered stuff like C#. I was really hopeful for Powershell, but it seems like it's almost entirely to serve IT administrators or software developers. I wish that very capable team would do things like add a fairly simple GUI DSL or form designer with the tool. I know it can hook into WinForms, but that's a lot of effort and requires more C# background. There are probably millions of business analysts that would love to build little simple GUI apps without investing weeks of effort. The current approach is to just use Python, but that has it's own bag of problems for those that can do a little coding, but aren't full time developers. It just seems weird that Microsoft never invested in a language for SMEs that would integrate well with the OS and Microsoft apps and tooling.
For us developers, the changes in Windows to support WSL2 weren't really an enhancement of Windows, it's now just a really complicated way to run Ubuntu. As in, Windows 11 is the biggest Linux bootloader in history.
sudo for Windows...can't even see a use for it any more.
Even continually sticking to old design patterns causes issues in development and deployment. Big name companies do not trust applications running on hosted Windows because of their current business practices. Microsoft does not even have a means to provided ease of deployment for air-gap system. This is the only way some big business will let products hosted on Windows to be in their facilities.
Windows as become more problematic for me because of all the layers of security that need to be applied for companies to trust Windows. This causes issues such as having to stop typing because Visual Studios or VSCode cannot process key strokes in real time.
Localization translation text standard still does not allow for containing singular and plural in the same key. Translations should be easily to update so the client can improve wording on the fly. Microsoft still recommends using resx and compiling a DLL.
.....
Also winget does not have python 3.12 which was released 4 months ago.
Does this mean that the feature set of sudo for Windows can't be similar to the feature set found on sudo for *nix e.g. for BSD, MacOS, Linux..?
Plus it means I don't have to leave the comfort of Tabby.
Honestly, the hardest part will be porting the Settings app changes to the Windows 10 styles. `sudo.exe` itself doesn't really depend on any OS platform changes, and if it did, we'd have a _very_ compelling case to bring those features with us downlevel.
When coming up with your sudo what were your inspirations and what does sudo do that you decided you wanted to avoid?
Linux is open source and free, Apple develop an OS that sells specific hardware, and historically Windows has sold the software for generic hardware. Windows is unlikely to become a better Linux than Linux. Where is Microsoft's new business model going?
Historically Office was a money maker, but Office online is a shambles and many users interact with Office via this interface - I see Office slowly dying in favour of open source options. I see Windows licenses being sold less and less in the future. Microsoft Lens is essentially buried at this point. There are the Surface laptops/tablets which are good but not special. Dedicated games console hardware will likely become less attractive as they slowly become glorified desktop PCs.
I don't see Microsoft with big user shares in the software or hardware industries? There were a few good purchases such as Minecraft, GitHub (+), etc [1]. Is there something I'm missing?
[1] https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitio...
(+) GitHub's new security model is outright hostile - to the point I no longer want to use it.
"Microsoft revenue was $198 billion in 2022, up $30.2bn (+18%) from a year earlier. When we do a breakdown by product streams, the largest source of Microsoft’s revenue was Office, with $44.9 billion (23% of the total). Just behind in the second place was Azure with $44bn of revenue (22% of total)." - https://www.kamilfranek.com/microsoft-revenue-breakdown/
Office alone increasing by $5Bn revenue in a year, increasing by $24Bn in ~3 years, being the largest chunk of revenue of the most valuable market-cap company on the planet, that's what counts as "slowly dying"??
https://www.reddit.com/r/linuxmasterrace/comments/u4xeoy/in_...
exactly how is 'sudo for windows' different than the existing model in windows 10 where privilege elevation is a popup window and you click through it? arguably the current model is just sudo with nopasswd.
how do you reconcile the idea that your effort --without principled reform of the windows security model at a fundamental level-- is just cargo-culting a more successful projects security model?
'Start-Process powershell -Verb runAs' is the same or different than this?
Thanks for caring about security and trying to make things better. its hard, thankless and frustrating (and thats just the windows part ;))
It's possible this sudo could have been implement as yet more clunky flags to runas, but it seems like making it a separate tool has benefits: off by default, whereas runas is a nearly always-on required built-in; more importantly a nicer less clunky syntax.
Any particular reason the source code for sudo.exe wasn’t able to be open sourced along with the announcement of this feature?
Every little bit of friction removed is a good thing.
and what's the point of switching when gsudo basically does the same?
Sorry, this has been lacking for so long that you know... Late to the party.
I am not asking questions about sudo to someone assuming sudo is specifically Linux software.
But honestly I'm most amazed by the fact that there wasn't previously a way to run commands with elevated permissions in Windows. How did people work like that? Just run everything in an admin terminal super unsafely?
Am I biased? Haha yes, I have a signed copy of Free Software, Free Society. But also I have spent years caring about products that do need to work on windows. And my professional take is "there is always a way to do it, but it is very seldom pretty." (And my take for linux is "there is always a way to do it, often more than one, and at least one of them is going to be pretty, but which one is the pretty one will depend greatly on who you are and what you're doing").
It doesn't really bother me personally either way, but I understand peoples' concern. I didn't mind the wget and curl aliases. I find myself autopilot typing 'ls' in PS quite often and I'm glad they aliased it to 'dir'.
But, when you install the actual curl and it doesn't work the way you expect, then it's both irritating and confusing. Horrible choice by MSFT.
RunWithAllTheElevatedPermissionsPossible --YesEvenThose .\inthisfolder.folder\.
grep : The term 'grep' is not recognized....Yep, aliases help. Also, verbs are standardized. That example was a bit hyperbolic.
Most of my work is in Linux nowadays, but for me, jq, yq, and other text manipulation software and shell features in bash/zsh will always take a back seat to using the standard commands that ship with PowerShell. I wince every time I see a co-worker using a pipeline full of parse-and-pray greps and awks that is fancy af and amazing, but also, maybe not as nice or consistent as working with objects.
I will say though, you might say "PowerShell is more convenient in many scenarios," not that it's more advanced.
Run-WithAllTheElevatedPermissionsPossible -YesEvenThose .\inthisfolder.folder\.
Seems like it's not an alias.
[1] https://learn.microsoft.com/en-us/windows/sudo/#how-is-sudo-...
But then I read
>When elevating a process from the command-line with sudo, a UAC dialog will appear asking the user to confirm the elevation:
LOL
But it seems like there are other ways to use it without this dialog
>In this configuration, sudo.exe will launch a new elevated console window and run the command in that window. The new window will be launched with the same working directory as the current window. The new window will also be launched with the same environment variables as the current window. This configuration has a similar flow to the runas command.
The whole point of the split token / UAC elevation is to avoid elevation without user interaction. Imagine malware stuck as standard user just running itself like:
cmd.exe /c sudo malware.exe
Along with the UAC dialog, I can't think of a worse way for sudo to behave.
What's wrong with entering your password for sudo? How is UAC more secure than a password?
This looks like one of those KPI fulfilling projects.
It actually wasn't. This has been one of the top community requests for the Windows Command Line for years. Literally, for like, the entire 8 years I've been here, we've been talking about if there was a way to do Sudo for Windows.
This was done because it makes developers happy, plain and simple. If that's a KPI, then that's the one we're optimizing for.
In other words, you're not actually solving the reason people are asking you for sudo for Windows. How do I configure my sudoers policy to allow someone to run a specific application (and only that application) through sudo? THAT is the magic of sudo. Sudo is not just "use your own password for root" like you seem to think it is.
https://learn.microsoft.com/en-us/windows/sudo/#how-is-sudo-...
Or forgot to Run As and opened a non-elevated terminal by accident?
> Runas /user:administrator "application.exe"
Think this might be why it's not very well known compared to sudo.
While the original support wasn't great, SUA was quite usable, until they decided to discontinue it on Windows Vista.
Nowadays we have WSL, which makes more sense, given how many folks buy Apple hardware and then complain UNIX isn't GNU/Linux.
Reminds me of a specific thought experiment with a boat.
Now that isn't necessarily true for Windows running in the cloud. Drivers don't matter as much there.
https://www.microsoft.com/en-us/sql-server/blog/2016/12/16/s...
According to his website, he's been the maintainer for 30+ years.
What does Sudo is to only provide the root/admin privileges for specific inputted command. Once it is done, it goes back to user privileges. This way, the terminal window didn't need to end the session to go back to user privileges.
I mean, that's sudo's whole thing! [1] You can live your day to day terminal life without the risk of borking things too badly, then when you occasionally need to elevate to higher privileges you can do it easily for that specific command.
[1] Technically not the whole thing obviously, but it's a very common use case.
It's a convenience thing.
Interesting
> Reserved
> not blank!
> We like to camp nice round number issues like this one, for future use.
Can you reuse GitHub issue numbers, or what could be their intention here?
We even used to have a bot that would auto-camp anything that was a multiple of 1000 or 1111 :D
But the number is 11? Is this Spinal Tap?
As another commenter pointed out regarding the integration of this new "sudo" and UAC prompts, it will probably be done in a new, separate, different tool, because this new, freshly released "sudo" will now have to remain bug-for-bug compatible for the next four decades.
I always wondered why it wasn't called WslEx.
Then Microsoft doubles down and introduces a better prompt called WSL - the Windows Subsystem for Linux because the Windows command prompt still sucks... and this is just a Ubuntu VM in Windows.
And now they implement Sudo?
Microsoft hasn't learned the first lesson of holes - when you find yourself in one, stop digging.
Very bleh.
Not sure if this is the same thing, but this definitely should have shipped with the very first implementation of "oh, sure, you're an Administrator, but not really, since we're ignoring that bit" a.k.a. User Account Control.
That would have saved about a metric ton of misguided "here's how to turn off UAC" tutorials, but, ehm, yeah, anything to inject some life into the moribund Windows Insiders Program (the one where https://blogs.windows.com/windows-insider/ proudly headlines "What’s coming for the Windows Insider Program in 2023"), right?
> If you’re looking for additional functionality that Sudo for Windows does not provide, check out Gerardo Grignoli’s gsudo which has a number of additional features and configuration options.
https://fosstodon.org/@serghei@mastodon.social/1119009868252...
For the other few things I missed: Very happy for the feedback! I've filed bugs and those'll be the first things I look at come Monday morning.
MS in a nutshell:
Ready, fire, aim!
Users:
"Immediately, there was a problem."
https://arstechnica.com/information-technology/2009/11/micro...
In these configurations, sudo.exe will launch a new elevated process, an elevated sudo.exe process, and the original unelevated sudo.exe will establish an RPC connection with the new elevated process. In other words, information is passed from the unelevated sudo instance to the elevated one.
That reminds me, I have a half-written implementation here:
> Sudo for Windows is a new way for users to run elevated commands directly from an unelevated console session
95% of linux users are developers who understand risk -- though are prone to mistakes
99% of windows users are casual consumers .
Let's keep this functionality narrowly accessible : restricted to developer mode and very formal consent. I suggest disabling it if it's unused for a few days
this will only rejuvenate the malware market.
Guess it's good to have more options though.
Still, doesn’t prevent antimalware software from blocking you if you try something naughty.
Everyone knows, if you can C colon, your running a M$ product...
I run Windows as my primary development environment because it's better. Linux and other OSes run in VMs.
sudo c:\some\path\to\normally_needs_elevation_to_function.exe
But I'm also bracing for millions of windows users that will now be able to sudo pip install.
I hear you! We thought about some of the options you’re calling out here. A lot of customers voiced having the muscle memory of doing similar flows on various operating systems was more important to them and that’s where we landed. I totally understand your perspective and I do really appreciate the feedback. I’m always trying to learn from people like you so I can help to build things that will make your life better.
From https://devblogs.microsoft.com/commandline/introducing-sudo-...
* asadmin
* admindo
* adminrun
* admrun
* elevate
* privelevThis is like when PowerShell hijacked curl all over again...
the new "sudo bash"