-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explore whether Terminal could be 'runas' a different user identity #4217
Comments
As a workaround, can you not |
@biltongza As you point out, this is only works within PowerShell - the ask above is more general than that. Also, since UWP apps are installed per-user, it's possible that the requested app isn't even installed and available in the secondary account. |
I'm not an enterprise user so I apologize if I don't fully understand the requirements here, but does the terminal GUI really need to run as another user? Or is it enough to spawn shells with runas and/or a potential sudo utility? I was able to get an admin tab with my wsudo POC, and I'd imagine running a shell as another user would work similarly. |
That is a whole other thread with its own security concerns. #632 |
Isn't the primary issue here security? In my book no user, enterprise or not, should be running an admin account hoping UAC is doing its job properly Bypass User Account Control to me this is a HUGE issue and it seems it is being swept under the rug |
It's the same issue. An example of this is that a domain admin should have two AD accounts; a standard user account and a domain admin account. They should be logged into their desktop under their standard user account. Should they need to do some AD work, they should be able to run a terminal window under their domain admin account, perform the work, then close the window. This is preferable to switching to their domain admin user. It's more convenient and much quicker. |
Yes, this is all about security. Consider the scenario where a domain admin's standard environment is compromised with some form of pernicious malware. If/when they launch an app from their compromised desktop running as their domain admin account, the malware now has considerable opportunity to key-log/screen-scrape/intercept/divert/delete/block/corrupt/encrypt all kinds of data and systems as domain admin. Ever wonder how Ransomware takes an entire company offline? This is why many enterprises and most online services air-gap users from production systems, requiring users to login via RD to a strictly-managed, heavily-restricted hosted VM environment which is severely locked down, regularly re-paved, etc. Such environments used to be the domain of the rich and famous, but this can now be built very cost effectively with commodity services and tools. Is this more inconvenient than just One of the interesting artifacts of such changes is that scripts, automation, and systems get built to replace the user's need to run admin tasks ad-hoc, increasing reliability and repeatability, decreasing errors, and decreasing various other risks. This is where CI/CD came from, and where many enterprises are going. YMMV. |
Being redirected from GH-5723 and I understand the security concerns but I think we are missing something from the user experience. I actually work with a restricted user and when I do "Run as Admin", I elevate with a local admin user for which I need to enter the password. This works with everything, including powershell and cmd prompt. I understand the possible WUP limitations but the 2-user pattern is a much more secure pattern, I think, than a all the time admin with UAC on demand. If the WUP won't allow for this, shouldn't there be an alternative like a global installation even outside the Windows Store, like PowerShell and every other application. At the end of the day, this looks like a limitation of the WUP because what would happen on systems that only run WUP apps? A Terminal is almost by design an extension to system configuration, so something needs to be considered when re-envisioning a Windows Terminal that can't do admin things. I also request for this issue to be re-opened or lets create another one. Let me know please. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This is my exact situation. We have a regular AD user account for our workstation and an AD administrator account to do our work. As it stands now, I see no point in continuing to using WT over my standard powershell or command terminal. |
This does not work if you are trying to do things like Active Directory management. A simple test is to try to access the c$ admin share on a DC using set-location, it will fail. While opening a Powershell windows "As a different user" works. |
Interesting all the points above on security of elevation vs no elevation when running commands in a terminal (cmd, powershell or whatever). A big selling point of windows terminal is the tabs and split panes - great for running stuff remotely when enter-pssession is ideal. There are time though when I need/want to run something locally, at which point I need to ditch terminal and open a powershell window as admin to do it. Sort of defeats the point of having a nice neat all in one place for terminal windows |
I recently found myself in the position of wanting to register Store-installed Windows Terminal with a second (high-privilege) account to try and work-around this issue, due to local corporate policies. By my research, the command should be:
when running PowerShell as the target user (either privileged or unprivileged), but it fails
The
This appears to be a repro-case for #3194, but happens without Chocolately or an elevated session. |
@TBBle Running that from an elevated Powershell 5.1 prompt allowed me to run WT as admin. Thanks! |
I wonder how many of these complaints could be solved with the use of /netonly semantics. It's perfectly possible to run a terminal window as userA and employ |
@Wittionary How did you install Windows Terminal? I had assumed #3194 would affect everyone who installed it from the Windows Store or Chocolatey, but if you did one of those, then perhaps it's something system-specific that triggers it. |
@TBBle I believe I initially installed it which Chocolate because the Windows Store was previously blocked at my place of employment. And according to |
In our company we have a second account for doing admin things. |
If I do
Both from PowerShell 7 and 5, while in Admin privileged sessions |
Correct me if I am wrong, but keyloggers and such will still catch everything you type even if you're RDP'd into a VM from where you do domain admin work. The info will be caught before it is sent through RDP, or caught when providing credentials to initiate your RDP connection. |
I've run into this issue as well when working with a laptop from a new corporation that I'm working with. The workarounds suggested haven't resolved my issues with Microsoft Terminal, but they did allow me to get winget working (see referenced issue linked above for information if you are interested). One idea came to mind related to this: if modern apps are all about installation/management for the current, logged in user, and more applications that users may want to run as admin like winget, the Microsoft Terminal, etc. are being built as modern apps to be installed this way, maybe the solution is to reimagine the non-admin login user pairing with an admin elevation user account (cannot log on locally) scenario. The end goal is simply to prevent running day-to-day as admin, while allowing for some content to be run as admin but only as needed, and behind explicit authentication, right? In which case being able to enter elevation credentials (different from your normal password, independently linkable to MFA/modern auth) so that you could execute applications on your system as admin in a more secure manner without dealing with two accounts could solve this problem while supporting the logged on user requirement of modern apps that are installed from the store or sideloaded. |
Regarding this workaround mentioned above, I was able to get the Is there some way to manually register/configure Cascadia fonts for the elevated admin account that cannot log on locally independently of the sideloading workaround for Microsoft Terminal? If the extension is the blocker here, I'm now looking for a workaround to unblock the extension so that I can then just register the Terminal app for my elevated admin account manually. |
@bitcrazed, what you're saying is interesting but I have evidence to the contrary. On most of my machines I have at least two user accounts, Me and MeAdmin, the first one being a "standard use" (i.e. member of I do most of my work from the standard user, and only specific actions (e.g. upgrade Visual Studio, reconfigure network) through the admin. Usually I do it by "elevating" the required programs (e.g. When I say "elevate" here I mean what used to be called when UAC just came out "OTS elevation" (Over-The-Shoulder, supposedly when the admin, who's another person, comes and enters the password over my shoulder) rather then "AAM" (Admin Approval Mode; just clicking Yes without entering a password). Sometimes I get the OTS prompt because the application manifest requires elevation (as does the VS installer prior to 16.9), and sometimes I right click the program and choose Run as administrator (to run In all cases the currently logged on user (to whom the Terminal Services session belongs) is not an administrator. The programs are being run as a different user.And while logged in as Me, the standard user, I am able to run Windows Terminal as a completely different user, MeAdmin, as long as the following conditions are met:
TLDR: Contrary to what you wrote, it is possible to run UWP "modern apps under the identity other than the currently logged-in user" AT LEAST WHEN all the following is true: (a) The app is a Centennial/Desktop Bridge/ Are (c) and (d) really requirements? I don't know. Maybe there are other ways to run as a different user, but your sweeping declaration is wrong. Since it is OBVIOUSLY possible to run Windows Terminal as a different user (come one, reproducing what I just wrote will take you less time that it took me to write it...), it's worth checking inside your employer's other departments whether this can be done without elevation, and if so how. I understand this is somewhat harder than announcing wrong sweeping declarations, but I must ask you try nonetheless. |
I am certain that there would have been ways to frame this that were less incendiary, but you did not choose to use them. It looks like the discussion on this thread has run its course. Anybody who has something constructive to add is free to e-mail me their comments. |
Related to #2485, #1053, #3534
This issue is a fork from a conversation started in #146 (specifically this comment onwards) discussing if/whether Terminal can/could support being
runas
a different user identity than the currently logged-in user.The primary ask here is that users, particularly those in enterprise scenarios, often need to run commands/scripts/etc. under a different user account with different permissions/rights than their normal/general user account.
Alas, UWP apps do not currently support the ability to run under a different identity than the currently logged-in user.
Thus, there are a couple of questions:
We'll go do some homework and respond to this thread with what we find.
Thanks all on the original thread for sharing their feedback :)
The text was updated successfully, but these errors were encountered: