You are not allowed to run sudo

microsoft / sudo

It's sudo, for Windows

MIT License

4.96k stars 126 forks source link

You are not allowed to run sudo #95

Open chuacw opened 1 month ago

chuacw commented 1 month ago

Sudo for Windows version

1.0.0

Windows build number

10.0.20348.2582

Other Software

No response

Steps to reproduce

On Windows Server 2022, in an Administrator cmd.exe window,

sudo c:\windows\system32\cmd.exe

Expected Behavior

Expect cmd to run

Actual Behavior

Got "You are not allowed to run sudo" instead.

zadjii-msft commented 1 month ago

That error message is specific to when the user is not a member of the admins group:

https://github.com/microsoft/sudo/blob/5fd6a797213642061898b8f0ec4fee46ff82d5bc/sudo/src/helpers.rs#L181-L185 https://github.com/microsoft/sudo/blob/5fd6a797213642061898b8f0ec4fee46ff82d5bc/sudo/src/main.rs#L343-L347 https://github.com/microsoft/sudo/blob/5fd6a797213642061898b8f0ec4fee46ff82d5bc/sudo/src/main.rs#L311-L313

Are you either:

running with over-the-shoulder elevation (where your local user account isn't an admin, and you're running cmd as another admin user)?
Running with UAC entirely disabled?

chuacw commented 1 month ago

As mentioned, this was the "Administrator" account, and it's a member of Administrators. UAC is totally disabled, set at "Never notify"

zadjii-msft commented 1 month ago

UAC is totally disabled, set at "Never notify"

I'm betting that's what it is. I'd guess what's happening here is the same thing Terminal had to deal with - there's a difference between running elevated with a split token, vs the "UAC entirely disabled" scenario. Heck, right above that, there's even:

https://github.com/microsoft/sudo/blob/5fd6a797213642061898b8f0ec4fee46ff82d5bc/sudo/src/helpers.rs#L116-L124

Looks like that check doesn't happen till after the can_current_user_elevate one. That should be easy enough for someone to rearrange the ordering of.

riverar commented 3 weeks ago

@zadjii-msft Is this a supported OS target?

zadjii-msft commented 3 weeks ago

I dunno if I can comment on the big-picture "is UAC disabled supported". I suppose it should be, at least from the perspective of sudo. Seems like it'd be easy enough for us to just shortcut the "can you elevate" and just do the thing (even tho you don't need sudo at all at that point)

riverar commented 3 weeks ago

@zadjii-msft Was referring to sudo running on Windows Server 2022. I thought sudo was only targeting newer versions.

zadjii-msft commented 2 weeks ago

Oh yea I don't see why not. Sudo might be "targeting" newer versions, but it should work all the way back to, like, windows 7:

All it really needs is ConDrv, and that's been there for a loooong time now. Only reason we haven't backported it to win10 yet is because backporting takes a lot of paperwork to fill out 🤷

riverar commented 2 weeks ago

Cool thanks! I was looking to pitch in a fix here but wanted to verify running in this config was supported before I spun my wheels.