gerardog/gsudo

Feature Request: Invoke-gsudo credentials parameter

NorskNoobing opened this issue · 5 comments

Description

I want a credentials parameter on the Invoke-gsudo function. This way it would be easier to run multiple different functions when providing the credentials once. You'll also be able to import your credentials from a file instead of using UAC all the time.

Proposed technical details

Here you'll be able to invoke multiple functions into separate variables:
Enter creds before running functions:
$admCreds = Get-Credential -Message "Enter admin credentials"
or import creds from a encrypted file:
$admCreds = Import-Clixml $admCredsPath | ConvertFrom-Securestring -AsPlainText

$var1 = Invoke-gsudo -Credentials $admCreds {function1}
$var2 = Invoke-gsudo -Credentials $admCreds {function2}

Interesting. In the past I've refrained to send plain text credentials to gsudo, but I like the idea of using PowerShell secure credentials. Specially to start a cache or similar:

Start-Process .\gsudo.exe -ArgumentList "--debug cache on" -Credential $admCreds

which doesn't work right now, but it may in the future.

Implemented in #188
But PowerShell/PowerShell#18333 / PowerShell/PowerShell#12129 may cause some issues for Invoke-gsudo specifically, not for gsudo -u UserName

Implemented in #188 But PowerShell/PowerShell#18333 / PowerShell/PowerShell#12129 may cause some issues for Invoke-gsudo specifically, not for gsudo -u UserName

This doesn't solve the issue tho. The end goal is a non-interactive way to run gsudo, so it can be run in e.g. scripts in the background and stuff like that.

The current implementation only adds the option to runas a specific user, but you'll still have to enter password and press "yes" in the UAC prompt.

I can't bypass UAC just with a flag. You need to consent at some point. Or you can disable the consent.

It is not that I won't. I can't ! Even with user & password credentials I can't spawn an elevated process without UAC unless gsudo is already elevated

In your situation, I would either:
a) create a script and add it as a scheduled task. with credentials, etc
b) use gsudo cache for minimal credentials prompt:

gsudo cache on # show one popup.
gsudo X # several actions without popup
gsudo Y
gsudo Z
gsudo cache off

c) disable UAC.

Programming the capability of installing gsudo as a windows service and actually behave like a sudoers is not in the near-future roadmap...

I created #194 to create the most similar to a UAC bypass I can think of now.