Sudon't

Question

Sudon't

AdreKiseque opened this issue 10 months ago · 4 comments

Description of the new feature / enhancement

While there are many ways to start elevated processes from unelevated shells, starting unelevated processes from elevated shells is a rather difficult task in Windows. runas.exe and launching through explorer are available options, but each present their own limitations. Sudo for Windows provides an opportunity to add an easier avenue for accomplishing this task.

Scenario when this would be used?

Just as sudo is useful for running elevated processes out of an unelevated shell without having to open a new administrative terminal, a "sudon't" command would be useful for starting unelevated tasks out of elevated sessions without having to open a new non-administrative console. This would be useful for any task that where elevated permissions provide little more than a security risk, as well as for certain programs that behave differently based on permission levels, such as some application installers. Another use-case would be in scripts that run elevated but may wish to start tasks unelevated for the same reasons, but struggle even more so with the issue due to not being able to manually open a new shell to run the command.

Supporting information

It doesn't actually have to be called sudont (but it should).

Answer 1 · 2025-01-14T22:42:14.000Z

How would this work? There isn't just a 'non-administrative terminal', sudo executes commands as the administrator user. 'sudon't' should execute it as..? In Linux/Unix sudo there is a way to specify the user with -u/--user, which could be implemented in some way here if that's what you mean

Answer 2 · 2025-01-14T23:05:00.000Z

Well, the most obvious implementation would be to run it as the current user in an unelevated context. A user with administrator status and UAC enabled can run things both as a "normal" user (default status) or with elevation ("run as administrator"). Sudo executes commands "as administrator", so "sudon't" would just execute as though you had run the command from a regular terminal. There are potential edge cases that would need to be addressed, though.

...Your comment seems to imply Sudo for Windows executes commands not as the active user with elevation, but as the built-in "Administrator" account. Is that really how it works, or has there been a misunderstanding?

Answer 3 · 2025-01-15T16:15:47.000Z

I looked a bit into it and yes, the sudo commands functions differently on windows than on linux (with UAC vs directly running as the root account) but you can't run commands unelevated because all child processes are affected and there isn't a way to 'downgrade' those privileges. You would need to specify a user to execute with, so runas would basically be the same

Answer 4 · 2025-01-15T19:05:26.000Z

There are ways to downgrade the privileges, they're just very convoluted. That's why packing them right into a tool like sudo would be beneficial, as users wouldn't have to go through those convoluted methods themselves.