gerardog/gsudo

Issue: Windows 24H2 Has Sudo

mattcargile opened this issue · 9 comments

Issue Description

https://devblogs.microsoft.com/commandline/introducing-sudo-for-windows/

Not sure if there needs to be special concessions for this? It appears it has to be enabled by the users manually. It appears Windows is using sudo as the application name. Maybe a check on install of gsudo can check for it? Maybe this should all be handled in Chocolately or Winget or Scoop itself?

Just starting the convo...I also assume Windows is using the same techniques as gsudo? I wonder if there are any exposed APIs that could be leveraged in gsudo?

Steps to Reproduce

  1. N/A

Screenshots

Context:

  • Windows version:
  • gsudo version:

After watching the YouTube video, it seems like it is only for a process and you can't pass pure powershell to it like gsudo. The name clash is a bummer. They should have made there binary wsudo or the like. From reading the comments, their customers wanted the muscle memory.

The one feature that stood out was a mode that would disable the standard-in of the elevated process. Does gsudo have this or is the standard-in always open on the elevated process?

Just starting the convo...I also assume Windows is using the same techniques as gsudo? I wonder if there are any exposed APIs that could be leveraged in gsudo?

Microsoft is not using any new Api's, at least yet, which makes it similar to gsudo, and also backwards compatible to win 10. Already documented here. Microsft sudo vs Gsudo.

Basically winsudo or ms-sudo (how do we name it at least in our conversations?) is same as gsudo in Attached Mode plus forwarding of the handles, which resolves some drawbacks I had with that mode.

After watching the YouTube video, it seems like it is only for a process and you can't pass pure powershell to it like gsudo.

Implementing that one is a one way road. Once implemented, then the users will expect winsudo to accomodate to any shell, and microsoft will never do that. My opinion is that it should be PowerShell who should provide that syntax goodie, not sudo.exe or gsudo.exe. That would make it also work it Linux, with the real sudo.

The name clash is a bummer. They should have made there binary wsudo or the like. From reading the comments, their customers wanted the muscle memory.

I can't blame them on that one. But... their customers are gsudo users plus... or people who hasn't discovered gsudo yet. I think gsudo helped break the mental barrier that prevented microsoft from implementing it.

The one feature that stood out was a mode that would disable the standard-in of the elevated process. Does gsudo have this or is the standard-in always open on the elevated process?

I implemented it two years ago. It is documented here. The naming is not really catchy: gsudo config SecurityEnforceUacIsolation true. Not sure if a single soul used it, since no-one ever mentioned it to me, so I didn't invest more time in it. And I am not Microsoft, so I couldn't embed telemetry (people will have valid reasons to hate an elevated app with telemetry) which means that I don't know if anyone uses it. Happy that Microsoft also implemented it, kinda gave some value that the idea was worth it.

Let's talk actionable items:

  • Regarding the name clash, I wouldn't make gsudo overwrite an OS command by default. Maybe add an easy opt-in way to force gsudo's sudo alias?
  • Also, let's ensure gsudo accepts input parameters in winsudo format. I was waiting for winsudo to stabilize before starting this.

Just starting the convo...I also assume Windows is using the same techniques as gsudo? I wonder if there are any exposed APIs that could be leveraged in gsudo?

Microsoft is not using any new Api's, at least yet, which makes it similar to gsudo, and also backwards compatible to win 10. Already documented here. Microsft sudo vs Gsudo.

Basically winsudo or ms-sudo (how do we name it at least in our conversations?) is same as gsudo in Attached Mode plus forwarding of the handles, which resolves some drawbacks I had with that mode.

After watching the YouTube video, it seems like it is only for a process and you can't pass pure powershell to it like gsudo.

Implementing that one is a one way road. Once implemented, then the users will expect winsudo to accomodate to any shell, and microsoft will never do that. My opinion is that it should be PowerShell who should provide that syntax goodie, not sudo.exe or gsudo.exe. That would make it also work it Linux, with the real sudo.

The name clash is a bummer. They should have made there binary wsudo or the like. From reading the comments, their customers wanted the muscle memory.

I can't blame them on that one. But... their customers are gsudo users plus... or people who hasn't discovered gsudo yet. I think gsudo helped break the mental barrier that prevented microsoft from implementing it.

The one feature that stood out was a mode that would disable the standard-in of the elevated process. Does gsudo have this or is the standard-in always open on the elevated process?

I implemented it two years ago. It is documented here. The naming is not really catchy: gsudo config SecurityEnforceUacIsolation true. Not sure if a single soul used it, since no-one ever mentioned it to me, so I didn't invest more time in it. And I am not Microsoft, so I couldn't embed telemetry (people will have valid reasons to hate an elevated app with telemetry) which means that I don't know if anyone uses it. Happy that Microsoft also implemented it, kinda gave some value that the idea was worth it.

Let's talk actionable items:

  • Regarding the name clash, I wouldn't make gsudo overwrite an OS command by default. Maybe add an easy opt-in way to force gsudo's sudo alias?
  • Also, let's ensure gsudo accepts input parameters in winsudo format. I was waiting for winsudo to stabilize before starting this.

I think adding an option to keep the "sudo" alias is a good and high-priority item.

I added a config setting, that when toggled will ensure gsudo path appears first in the PATH in #353.
It's currently named PathPrecedence

image

Alternatively, I could name the config option something like EnsureSudoAlias or similar.., But subjectively, the PathPrecedence sounds more explicit. Opinions before this is released?

I believe that overriding Ms-Sudo should NOT be the default, An opt-in is preferrable. Scripts or people may want to use sudo for ms-sudo, and gsudo for this one.

In #354, I've added a brief description to gsudo config
image

Next goal, make gsudo arguments compatible with 24H2 ms-sudo.
image

Alternatively, I could name the config option something like EnsureSudoAlias or similar.., But subjectively, the PathPrecedence sounds more explicit. Opinions before this is released?

Yeah, i think PathPrecedence is more accurate to what it does.

I believe that overriding Ms-Sudo should NOT be the default, An opt-in is preferrable. Scripts or people may want to use sudo for ms-sudo, and gsudo for this one.

Ye. while i prefer gsudo i just opted to not mess with ms-sudo for now.

Next goal, make gsudo arguments compatible with 24H2 ms-sudo. image

Thanks for being one step ahead of these kind of changes, and for making gsudo, been using it already for 3 years

v2.5.0 is out. Anything else to address, or any other idea?

I just now noticed that gsudo lacks a nice beautiful icon, like it's done in microsoft sudo

Yeap. I lack the skills to make a beautiful one...
For https://gerardog.github.io/gsudo/ I did this thing: image
... which is terrible ...
suggestions accepted!