Skip to content

Add fix for Start-Job initialization script in system lockdown #8284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 26, 2018
Merged

Add fix for Start-Job initialization script in system lockdown #8284

merged 2 commits into from
Nov 26, 2018

Conversation

PaulHigin
Copy link
Contributor

PR Summary

This is a Windows platform issue only.

When running remote initialization script, the script block is considered internal and marked as trusted. In system lock down mode, PowerShell runs in ConstrainedLanguage mode and won't allow a trusted script block to run in the default scope.

Fix is to mark the initialization script as untrusted external when system is locked down.

Repro:

# PowerShell running in locked down system
Start-Job -InitializationScript { function Hello { "Hello" } } -ScriptBlock { Hello } | Wait-Job | Receive-Job

# Result
Error: "Cannot dot-source this command because it was defined in a different language mode. To invoke this command without importing its contents, omit the '.' operator."

Fix is to mark initialization script as untrusted "external origin" when system is in lock down mode, so that it can run in ConstrainedLanguage session scope.

PR Checklist

@PaulHigin PaulHigin requested a review from TravisEz13 November 15, 2018 23:49
@PaulHigin PaulHigin requested a review from mirichmo as a code owner November 15, 2018 23:49
@PaulHigin PaulHigin removed the request for review from mirichmo November 15, 2018 23:49
@PaulHigin PaulHigin added OS-Windows WG-Remoting PSRP issues with any transport layer labels Nov 15, 2018
@iSazonov iSazonov added the CL-Engine Indicates that a PR should be marked as an engine change in the Change Log label Nov 16, 2018
@TravisEz13 TravisEz13 changed the title [Feature] Add fix for Start-Job initialization script in system lockdown Add fix for Start-Job initialization script in system lockdown Nov 16, 2018
@adityapatwardhan
Copy link
Member

@PaulHigin, could you push a commit with [Feature] tag in it. The new test that is added is tagged as Feature hence was not executed in the CI.

@adityapatwardhan
Copy link
Member

Restarted CI in appveyor to pickup the latest test fixes.

@PaulHigin
Copy link
Contributor Author

@adityapatwardhan Can this be merged?

@adityapatwardhan adityapatwardhan merged commit 6a388f0 into PowerShell:master Nov 26, 2018
@PaulHigin PaulHigin deleted the fix_startjob_initScript branch November 27, 2018 17:50
iSazonov pushed a commit to iSazonov/PowerShell that referenced this pull request Nov 29, 2018
@PaulHigin @iSazonov
Add fix for Start-Job initialization script should not be executed …
e1c4713 
…as trusted in system lockdown (PowerShell#8284)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TravisEz13 TravisEz13 TravisEz13 approved these changes

@adityapatwardhan adityapatwardhan adityapatwardhan approved these changes

Assignees

@adityapatwardhan adityapatwardhan

Labels
CL-Engine Indicates that a PR should be marked as an engine change in the Change Log OS-Windows WG-Remoting PSRP issues with any transport layer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@PaulHigin @adityapatwardhan @TravisEz13 @iSazonov