software development, sudowin

work in progress

so where am i at on the development of sudowin? well, my real job has been getting in the way, as well as the different rags that i work for. so i have been dividing my time between working, writing, and thinking about developing sudowin and playing world of warcraft (i’m only 65 :( ).

the unstable code in the repositories do have support for domain based accounts and groups. however, i am still in the process of figuring out how to implement this feature in production without it becoming a massive security hole. i will create a diagram and explain the situation more thoroughly at a later date (in the next few days).

rest assured that the sudowin development has not stopped, it has just taken a break to cope with real-world interruptions.

Advertisements

16 thoughts on “work in progress

  1. Hi Andrew,

    I’ve just discovered sudowin, does it work properly on vista? I’d much rather use this than UAC.

    I’ve installed it and it appears to be working ok, no errors etc but when I sudo an app it doesn’t seem to have any additional priviledges.

    Is sudowin still under development? Does it work properly on vista?

    Cheers,
    John

  2. Hi Andrew,
    On a hunch I totally disabled UAC – and now it works!

    Well, almost. The only thing that doesn’t work for me is sudoing a folder. Yes, I have turned on open windows in a seperate process :)

    I have mixed feelings about vista… I was considering going back to XP, but I’ve instaled SP1 RC and its quite a bit better. Not as greedy with memory, and quite a bit snappier.

    Once you have disabled some of the crap, like readyboost and UAC its just as fast as XP, and it does have some nice stuff – like the desktop search.

  3. Oh yeah, I did once disable UAC and find that it worked. Thanks for reminding me. I will update the FAQ :) FYI – You can download desktop search for XP. I may move to Vista once it works with Aero at a decent speed under Fusion. But until then, OS X serves me quite well. Heck, I’d give up Windows altogether if it wasn’t for my never ending well of knowledge WRT its API. Its the easiest OS for me to program in, so it is hard to let it go. You know?

  4. Yeah, I’m a .net dev, so no point in me even trying linux or osx.
    I got vista preinstalled on this laptop, and I grew to hate it, but after installing sp1 to get some decent performance, and disabling most of the new crap in vista its really not bad. No issues with compatibility or stability.
    I have used copernic desktop search on XP for years, its great. The vista search is just as good, and the search box on the start menu is _awesome_. It searches for shortcuts on your start menu first, so you never have to trawl through your program groups. Back when I really really hated vista, that search box in the start menu was about all that kept me from switching.

    Sudowin not working on opening folders is a major issue, got any ideas there? Is it worth turning on logging?

  5. Hi Andrew,
    You mentioned that “the unstable code in the repositories do have support for domain based accounts and groups”. I haven’t had any problems using domain based accounts so far. When do problems with domain-based authentication show up?

    Thanks!

  6. Hmm ok with further investigation vista seems to intentionally do everything possible to stop you running explorer under a different account, or with a different token. Seems like a very stupid design decision.

    I’ve cobbled up a cmd script that uses the handy new functionality in icacls to save a folder’s ACL to a temp file, then pause (while you do what you need), then restore the ACLs. Bit of a dirty hack but it lets me get access to things like c:\windows when you need. It doesn’t help with control panel etc though.

    After all this greif I may as well throw in the towel and turn UAC back on, and go back to local admin.

    How ironic – a feature of vista designed to prevent the problems caused by people running as admin all the time may force me to run as local administrator. I would have been much happier running how I was with XP, as non-admin but with sudo for admin tasks.

  7. In order to elevate privileges in Vista with UAC on, you must use the ShellExecuteEx API with the verb “runas”. That will display the UAC prompt. Unfortunately, that API does not allow you to pass in user credentials.

    I’ve written a similar tool and used the same “callback” model.

    The first time the callback was run, it would rerun the callback with credentials* and a flag. When the callback saw the flag, it would run the application using the “runas” verb and UseShellExecute = true.

    I think I’ll download the source and see if I can patch it.

    * Using System.Diagnostics.Process.Start

  8. Killman – Sounds good. I’ll have to take a look at that. Sudowin is about the last thing tying me to Windows. I LOVE .NET, but I have grown more and more comfortable with Java, and one day I think I’ll just give up Windows and go Mac and Linux full-time. I just can’t abandon Sudowin before I release the domain version…

  9. I have modified Sudowin to work with Vista UAC.

    Basically, you need to run the Callback app twice. The first time is with the new token that includes the Administrators group. The callback then executes again (this will be as an admin, but UAC will not have elevated this token). The second time then executes the application you sudo’d but uses UseShellExecute=true and Verb=”runas” to force the UAC prompt.

    So now you have the best of both worlds. You can now run as a limited user ALL the time. Then when you need to elevate to Admin, you can Sudo and UAC will still prompt as usual.

    So why is this different than simple UAC where the normal Admin token is the same as limited user?

    Well, by updating the sudowin config file, you can limit which apps can be elevated. This is great for home use where I would never give admin rights to my kids, but some applications (namely games) won’t run unless you’re an admin. By adding the game to the config file, my kids can play these games without me having to enter an admin password. The same advantages apply to business apps.

    I’ll send you a patch shortly.

  10. Has your domain version of sudowin been released yet? I am having problems when using domain accounts. Local accounts are working just fine on win2k3.

  11. Hi,

    can anyone say what “Sudowin service is dead to you” means?
    We have this problem after a fresh installation on two w2k3 servers. We only changed sudoers.xml. sudo windows service is running.

    Thnx

    Floek

  12. I had a sudowin is dead to you when administrators group was named differently because of a different language in windows.

    on my Norwegian winxp thre group is named like this:
    privilegesGroup=”Administratorer”

  13. just wondering. I remember in sudo for linux you can have some programs sudoed without asking for user password. is this possible in sudowin?
    I now this is punching another hole in the system, but for some small programs it would have a benifint. in my case route command (openvpn).

  14. floek – did you also add the user to the sudoers group that the installer creates? it has always worked for me when I replace the example user in the xml file and add the limited user to sudoers.

    I’m really excited about sudowin after using it for six months. I sometimes have to use runas /env /noprofile, but sudowin usually works well. I wish ms had put this into their own code form the beginning.

  15. I looked for the changelog for the new version but did not find anything. is it in the zip version. I usually use msi if provided.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s