Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue: Credential cache status is displayed incorrectly (potential regression) #196

Closed
samba2 opened this issue Oct 31, 2022 · 2 comments
Closed

Issue: Credential cache status is displayed incorrectly (potential regression) #196

samba2 opened this issue Oct 31, 2022 · 2 comments

Comments

@samba2
Copy link

samba2 commented Oct 31, 2022

There is a change in the gsudo status output which I believe was introduced between 1.13 and 1.14.

Scenario: I create a manual cache session. By setting the --pid to 0 also other processes under my user ID can now run gsudo without being prompted for a password. This is still working 😉 but:

in version 1.30 gsudo status contained the line Available for this process: True when the cache was active.
From version 1.40 gsudo status says Available for this process: False
I also saw the same behavior in the latest, 2.0.0 pre-release.

Steps to reproduce:
gsudo 1.30

PS C:\temp> .\gsudo-1-30.exe cache on --pid 0 --duration 00:00:30
Warning: Elevation allowed for any process from same-user.
Warning: Cache is a security risk. Use `gsudo cache off` (or `-k`) to go back to safety.

PS C:\temp> .\gsudo-1-30.exe status
Caller Pid: 20040
Running as:
  User: MYDOMAIN\MYUSER
  Sid: S-1-5-21-43206524-2104247658-1151357142-4830526
  Is Admin: False
  Integrity Level: Medium (8192)

Credentials Cache:
  Mode: Auto
  Available for this process: True    <--------
  Total active cache sessions: 1
    ProtectedPrefix\Administrators\gsudo_E47586A56563B34C06B7A20DB10A05A83245A9FEFB0D62C7187EEB48B157A9F1

Processes attached to the current console:
      PID      PPID Integrity  UserName                  Name
    20040     10716 Medium     MYDOMAIN\MYUSER           C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      628     20040 Medium     MYDOMAIN\MYUSER           C:\temp\gsudo-1-30.exe (this gsudo status)
PS C:\temp>

gsudo 1.40

PS C:\temp> .\gsudo-1-40.exe cache on --pid 0 --duration 00:00:30
Warning: Elevation allowed for any process from same-user.
Warning: Cache is a security risk. Use `gsudo cache off` (or `-k`) to go back to safety.
PS C:\temp> .\gsudo-1-40.exe status
Caller Pid: 20040
Running as:
  User: MYDOMAIN\MYUSER
  Sid: S-1-5-21-43206524-2104247658-1151357142-4830526
  Is Admin: False
  Integrity Level: Medium (8192)

Credentials Cache:
  Mode: Auto
  Available for this process: False             <-------------
  Total active cache sessions: 1
    ProtectedPrefix\Administrators\gsudo_E47586A56563B34C06B7A20DB10A05A83245A9FEFB0D62C7187EEB48B157A9F1

Processes attached to the current console:
      PID      PPID Integrity  UserName                  Name
    20040     10716 Medium     MYDOMAIN\MYUSER           C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    14688     20040 Medium     MYDOMAIN\MYUSER           C:\temp\gsudo-1-40.exe (this gsudo status)

If this is intended behavior, I'd like to understand when "Available for this process" will be "True" in newer gsudo versions.
@gerardog
Copy link
Owner

Not intended. It is a bug. Thanks for reporting

gerardog added a commit that referenced this issue Nov 1, 2022
@gerardog
Fix: gsudo status shows always false in Available for this process
ba5b216 
…#196
@gerardog
Copy link
Owner

gerardog commented Nov 8, 2022

Fixed in v2.0.0

@gerardog gerardog closed this as completed Nov 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@samba2 @gerardog