You are not allowed to run sudo

Sudo for Windows version

1.0.0

Windows build number

10.0.20348.2582

Other Software

No response

Steps to reproduce

On Windows Server 2022, in an Administrator cmd.exe window,

sudo c:\windows\system32\cmd.exe

Expected Behavior

Expect cmd to run

Actual Behavior

Got "You are not allowed to run sudo" instead.

That error message is specific to when the user is not a member of the admins group:

sudo/sudo/src/helpers.rs

Lines 181 to 185 in 5fd6a79

    
           pub fn can_current_user_elevate() -> Result<bool> { 
        
               let current_token = current_process_token()?; 
        
               let elevation_type: TOKEN_ELEVATION_TYPE = get_token_info(*current_token)?; 
        
               Ok(elevation_type == TokenElevationTypeFull || elevation_type == TokenElevationTypeLimited) 
        
           }

sudo/sudo/src/main.rs

Lines 343 to 347 in 5fd6a79

    
           if !can_current_user_elevate()? { 
        
               // Bail out with an error. main(0) will then print the error message to 
        
               // the user to let them know they aren't allowed to run sudo. 
        
               return Err(ERROR_REQUEST_REFUSED.into()); 
        
           }

sudo/sudo/src/main.rs

Lines 311 to 313 in 5fd6a79

    
           _ if hr == HRESULT::from_win32(ERROR_REQUEST_REFUSED.0) => { 
        
               eprintln!("{}", r::IDS_SUDO_DISALLOWED.get()); 
        
           }

Are you either:

running with over-the-shoulder elevation (where your local user account isn't an admin, and you're running cmd as another admin user)?
Running with UAC entirely disabled?

As mentioned, this was the "Administrator" account, and it's a member of Administrators.
UAC is totally disabled, set at "Never notify"

UAC is totally disabled, set at "Never notify"

I'm betting that's what it is. I'd guess what's happening here is the same thing Terminal had to deal with - there's a difference between running elevated with a split token, vs the "UAC entirely disabled" scenario. Heck, right above that, there's even:

sudo/sudo/src/helpers.rs

Lines 116 to 124 in 5fd6a79

    
           pub fn is_running_elevated() -> Result<bool> { 
        
               // TODO! 
        
               // Do the thing Terminal does to see if UAC is entirely disabled: 
        
               // Which is basically (from Utils::CanUwpDragDrop) 
        
               //     const auto elevationType = wil::get_token_information<TOKEN_ELEVATION_TYPE>(processToken.get()); 
        
               //     const auto elevationState = wil::get_token_information<TOKEN_ELEVATION>(processToken.get()); 
        
               //     if (elevationType == TokenElevationTypeDefault && elevationState.TokenIsElevated) 
        
               //

Looks like that check doesn't happen till after the can_current_user_elevate one. That should be easy enough for someone to rearrange the ordering of.

@zadjii-msft Is this a supported OS target?

I dunno if I can comment on the big-picture "is UAC disabled supported". I suppose it should be, at least from the perspective of sudo. Seems like it'd be easy enough for us to just shortcut the "can you elevate" and just do the thing (even tho you don't need sudo at all at that point)

@zadjii-msft Was referring to sudo running on Windows Server 2022. I thought sudo was only targeting newer versions.

Oh yea I don't see why not. Sudo might be "targeting" newer versions, but it should work all the way back to, like, windows 7:

All it really needs is ConDrv, and that's been there for a loooong time now. Only reason we haven't backported it to win10 yet is because backporting takes a lot of paperwork to fill out 🤷

Cool thanks! I was looking to pitch in a fix here but wanted to verify running in this config was supported before I spun my wheels.

Is there any progress on this issue?

I know this is NOT simply the Windows implementation of sudo as known from Linux systems, but in this case calling it "sudo for Windows" seems to be a misuse at best. As per the Wikipedia article on sudo: "[sudo] enables users to run programs with the security privileges of another user, by default the superuser".

In this case it allows admin users (superusers) run application in the elevated context. It should be called "command line UAC" or something similar, which would be far more accurate. Unless there is a plan to make the Windows "sudo" a real sudo implementation for Windows with all (or at least core) the features.

That discussion was had in #23 and is unrelated to this issue.

	pub fn can_current_user_elevate() -> Result<bool> {
	let current_token = current_process_token()?;
	let elevation_type: TOKEN_ELEVATION_TYPE = get_token_info(*current_token)?;
	Ok(elevation_type == TokenElevationTypeFull \|\| elevation_type == TokenElevationTypeLimited)
	}

	if !can_current_user_elevate()? {
	// Bail out with an error. main(0) will then print the error message to
	// the user to let them know they aren't allowed to run sudo.
	return Err(ERROR_REQUEST_REFUSED.into());
	}

	_ if hr == HRESULT::from_win32(ERROR_REQUEST_REFUSED.0) => {
	eprintln!("{}", r::IDS_SUDO_DISALLOWED.get());
	}

	pub fn is_running_elevated() -> Result<bool> {
	// TODO!
	// Do the thing Terminal does to see if UAC is entirely disabled:
	// Which is basically (from Utils::CanUwpDragDrop)
	// const auto elevationType = wil::get_token_information<TOKEN_ELEVATION_TYPE>(processToken.get());
	// const auto elevationState = wil::get_token_information<TOKEN_ELEVATION>(processToken.get());
	// if (elevationType == TokenElevationTypeDefault && elevationState.TokenIsElevated)
	//