Merge branch 'master' into Feature.RunAsUser

gerardog · Oct 23, 2022 · c58c044 · c58c044
2 parents 70f223f + 45296ac
commit c58c044
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 18 deletions.
diff --git a/docs/docs/security.md b/docs/docs/security.md
@@ -4,7 +4,7 @@ title: Security Considerations
 hide_title: true
 ---
 
-## Why Windows doesn't have a `sudo` command?
+## Why Windows doesn't have a `sudo` command? Should it have one?
 
 To answer this question, we first have to take a look back at the history.
 
@@ -30,32 +30,28 @@ But that insulation quickly proved weak. Let me [quote Raymond Chen from Microso
 >
 > The reason why all the other options collapse into Meh is that the `Notify only when apps try to change settings` option can be subverted by any app simply by injecting a thread into (...)
 
-And, up to this day, Windows 10 & 11, defaults to "Meh". Microsoft default is: lesser security in exchange of user convenience. 
+And, up to this day, Windows 10 & 11, defaults to "Meh". Microsoft default is: lesser security at the expense of user convenience.
 
 ---
 ![Vista UAC](../static/img/Vista-UAC.png)
 [Windows 11 UAC Settings: Default mode is recommended only if you **don't** run untrusted software.]
 
 ---
 
-Over time, no less than a hundred UAC-bypass techniques were disclosed. Many of them still work in an updated Windows 11. Windows Defender, or your antivirus of choice, will stop them (hopefully). But if you disable your AV, UAC bypass is easy. 
+Over time, no less than a hundred UAC-bypass techniques were disclosed. Many of them still work in an updated Windows 11. Windows Defender, or your antivirus of choice, will stop them (hopefully). But if you disable your AV, UAC bypass is easy.
 
-And Microsoft did not patch them. Instead, it was assumed publicly that `UAC/UIPI` in default mode is not a security boundary. I will [quote Microsoft documentation](https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-user-account-control#:~:text=More%20important%2C%20Same%2Ddesktop%20Elevation,be%20considered%20a%20convenience%20feature.) :
+Microsoft did not patch them. Instead, they assumed publicly that `UAC/UIPI` in default mode is not a security boundary. I will [quote Microsoft documentation](https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/disable-user-account-control#:~:text=More%20important%2C%20Same%2Ddesktop%20Elevation,be%20considered%20a%20convenience%20feature.) :
 
 > Same-desktop Elevation in UAC isn't a security boundary. It can be hijacked by unprivileged software that runs on the same desktop. Same-desktop Elevation should be considered a convenience feature.
 
-This literally means: <b>UAC does not protect you from threats. It's a convenience tool that protects you from shooting yourself in the foot. </b>
+Which means: <b>UAC does not protect you from threats. It's a convenience tool that protects you from shooting yourself in the foot. </b>
 
-And, in my opinion, it's not doing a great job:
+And, in my opinion, it's not doing the best possible job:
 
-- You waste important time by switching between elevated and unelevated windows. You have to manually carry your command and context to the elevated window, each time.
-- ... or you suffer from "elevation fatigue". For example, you elevate a whole console beforehand, or all of them, and you do all your stuff there, likely running non-admin or untrusted stuff as admin, even when you shouldn't.
+- You waste important time by switching between elevated and unelevated windows. You must manually carry your command and context to the elevated window, each time, back and forth.
+- ... or you suffer from "elevation fatigue". For example, you elevate a whole console beforehand, and you do all your stuff there, likely running non-admin or untrusted stuff as admin.
 
-The premises on which I assume they decided not to create a Windows `sudo` are false.
-
-Same-desktop UAC is a convenience feature, and so is `gsudo`. **In -_any_- case, the only thing that protects you from malware is you and your AntiVirus.**.
-
-Therefore, in my opinion, **the best way to not shoot yourself in the foot is to use a `sudo` tool** that allows you to easily cherry-pick the exact commands to elevate and minimizes the time-waste and "elevation fatigue".
+**In conclusion:** Same-desktop UAC is a vulnerable convenience feature, and so is `gsudo`. In any case, **the only thing that protects you from malware is you and your AntiVirus.**.
 
 ## What are the risks of running gsudo?
 
@@ -68,9 +64,9 @@ gsudo could be used as an attack vector for escalation of privileges:
   In my opinion, this is a mild risk that you are already exposed when using UAC in default mode. In the end, your only protection is your AV.
 
   Ways to avoid this risk:
-  - Elevating on a new console, using `-n`/`--new`. 
+  - Elevating on a new console, using `-n`/`--new`.
   - Proposed new feature `ForceNewWindow`, to add a config setting where all elevations are done in new windows, so no isolation is broken. Tracked here: [#97](https://github.com/gerardog/gsudo/issues/97) (and up for grabs)
-  - Experimental: `SecurityEnforceUacIsolation` 
+  - Experimental: `SecurityEnforceUacIsolation`
   makes the elevated command run redirected, w/input redirected to `NULL`. Hence it will be non-interactive, so nobody will be able to drive it. Enable with `gsudo config SecurityEnforceUacIsolation true`
 
 - **Abusing an active `gsudo Credentials Cache` to elevate a process silently**:
@@ -79,9 +75,9 @@ gsudo could be used as an attack vector for escalation of privileges:
 
    When the cache is active, it allows elevation from one invoker process and its children, which are running at the unprotected medium integrity level. A malicious process also at medium level can inject it's code into an allowed process and make it call gsudo to request elevation silently.
 
-   You avoid this risk by default, by not enabling the credentials cache. 
+   You avoid this risk by default, by not enabling the credentials cache.
 
-**TLDR;**  `UAC` and `gsudo` are both vulnerable convenience features. Both rely on your ability to avoid malware, or your antivirus ability to stop it.
+**TLDR;** Both `UAC` and `gsudo` are vulnerable convenience features. Both rely on your ability to avoid malware, or your antivirus ability to stop it.
 
 <!--
 

diff --git a/docs/docs/tips/script-self-elevation.md b/docs/docs/tips/script-self-elevation.md
@@ -41,7 +41,7 @@ function Test-IsAdmin {
 
 if ((Test-IsAdmin) -eq $false) {
  Write-Warning "This script requires local admin privileges. Elevating..."
- gsudo "$($MyInvocation.MyCommand.Source)" $args
+ gsudo "& '$($MyInvocation.MyCommand.Source)'" $args
  if ($LastExitCode -eq 999 ) {
     Write-error 'Failed to elevate.'
  }