Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open 'powershell as administrator' tabs (as a profile type) #691

Closed
mikemaccana opened this issue May 11, 2019 · 22 comments
Closed

Open 'powershell as administrator' tabs (as a profile type) #691

mikemaccana opened this issue May 11, 2019 · 22 comments
Labels
Issue-Feature Complex enough to require an in depth planning process and actual budgeted, scheduled work. Product-Conpty For console issues specifically related to conpty Resolution-Duplicate There's another issue on the tracker that's pretty much the same thing.

Comments

@mikemaccana
Copy link
Contributor

mikemaccana commented May 11, 2019

It's pretty frequent for Windows users to need 'powershell as administrator'.

Rather than opening a second instance of Windows Terminal via the Start Menu, it would be better to allow the 'down' menu to include powershell as administrator (by making it a profile type):

powershell
powershell (administrator)
cmd
@oising oising added Product-Conpty For console issues specifically related to conpty Issue-Feature Complex enough to require an in depth planning process and actual budgeted, scheduled work. labels May 12, 2019
@oising
Copy link
Collaborator

oising commented May 12, 2019

I'm not sure the ConPTY support is quite there yet, see #332

@Kryptos-FR
Copy link

Isn't there a risk of elevation of privileges leaking to other tabs?

I could be wrong but I suppose that to be able to run a powershell tab as administrator, the whole Terminal app would need to also be elevated. Are there ways to prevent that?

@oising
Copy link
Collaborator

oising commented May 13, 2019

There are ways to do it, but it's not trivial: https://github.com/parkovski/wsudo

@mdtauk
Copy link

mdtauk commented May 13, 2019

Without implementing a per command UAC elevation similar to 'nix's Sudo for all the various consoles and WSL - I think a Process per Tab implementation, with a UAC prompt on profile adding would be sensible.

It will require security protection and all the careful coding needed to make it possible, so may not be an achievable V1 goal.

@zadjii-msft
Copy link
Member

This is a dupe of #632, so I'll redirect discussion there.

@zadjii-msft zadjii-msft added the Resolution-Duplicate There's another issue on the tracker that's pretty much the same thing. label May 13, 2019
@heyJonBray
Copy link

Wouldn't it be possible to change the "commandLine" : "powershell.exe /profile <elevated user profile .pc1 file>" variable to the PS function(s) you would do within the ISE to start a profile in elevated mode?

@ckasabula
Copy link

Have been using ConEmu for years, which supports a mix of elevated and non-elevated tabs. I was thinking Windows Terminal would be a good alternative, but I don't want to run 2 instances when I can run just 1 ConEmu instance.

@mikemaccana
Copy link
Contributor Author

All: there's no doubting that various other apps have the ability to run elevated instances inside them, the reason Microsoft haven't added this feature for Terminal yet is that's there's a security risk within Windows of doing so. The other apps have that security risk, Microsoft for good reason don't want to expose their users.

With any luck Microsoft folk might fix Windows itself to allow elevated subprocesses (which may be very difficult), but otherwise the best best is for some other solution (eg, the ability to spawn a separate elevated window being easier)

@zadjii-msft
Copy link
Member

@ckasabula Thanks for the feedback, but we won't be allowing mixed elevated and unelevated instances in the same window, because it presents too large a security risk. You can refer to this thread: #632 (comment) for more details. ConEmu can offer that functionality and accept that risk, but unfortunately we can't.

@dranovsk
Copy link

Try gsudo as workaround.

@survivant
Copy link

it's the first time that I'm using Windows Terminal. Really nice to have PowerShell and WSL in a terminal. But I still don't understand why I can't have a tab with PowerShell as Administrator. In my taskbar I have Powershell pinned there and I right click on it.. Open as Administrator. Why can I have the same thing with Windows Terminal ? I'm never using powershell and cmd.exe in normal user.

@zadjii-msft
Copy link
Member

@survivant I mean, you can definitely open the Terminal as an administrator:

image

We're just not going to let you put elevated instances inside an unelevated window. There's a bunch of other quality-of-life improvements for running the terminal elevated we've got planned over in #8455.

@PanosGreg
Copy link

PanosGreg commented Apr 18, 2021

kudos to @dranovsk for the gsudo mention!
to install just: choco install gsudo -y (from an elevated console, you need chocolatey obviously)

Just create a new windows terminal tab, for ex. PowerShell (Admin)
and then in the command line text field: gsudo pwsh
and that's it, every time you open that tab, you'll get a UAC prompt (cause it 's an elevated process)
and in the end, you'll have normal (non-elevated) tabs and elevated (admin) tabs in the same windows terminal app.

Also, to distinguish the tab from the regular PowerShell, here's an icon with red powershell
Powershell ico Files

@RobBiddle
Copy link

RobBiddle commented May 5, 2021

I understand there's a potential security risk of running elevated console tabs inside a non-elevated Windows Terminal. But what about enabling the opposite workflow?

As long as Windows Terminal was launched with elevated privileges then why not allow for additional non-elevated console tabs to be created?

@flatline-studios
Copy link

flatline-studios commented May 17, 2021

kudos to @dranovsk for the gsudo mention!
to install just: choco install gsudo -y (from an elevated console, you need chocolatey obviously)

Just create a new windows terminal tab, for ex. PowerShell (Admin)
and then in the command line text field: gsudo pwsh
and that's it, every time you open that tab, you'll get a UAC prompt (cause it 's an elevated process)
and in the end, you'll have normal (non-elevated) tabs and elevated (admin) tabs in the same windows terminal app.

Also, to distinguish the tab from the regular PowerShell, here's an icon with red powershell
Powershell ico Files

I get:

> gsudo pwsh
pwsh : The term 'pwsh' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify
that the path is correct and try again.
At line:1 char:1
+ pwsh
+ ~~~~
    + CategoryInfo          : ObjectNotFound: (pwsh:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

To fix it, instead just change either the "Command line" box in the settings to read, powershell.exe gsudo, or, if you're working directly with the settings JSON file, then have the line "commandline": "powershell.exe gsudo" in your profiles list.

@ghost
Copy link

ghost commented May 21, 2021

kudos to @dranovsk for the gsudo mention!
to install just: choco install gsudo -y (from an elevated console, you need chocolatey obviously)

Just create a new windows terminal tab, for ex. PowerShell (Admin)
and then in the command line text field: gsudo pwsh
and that's it, every time you open that tab, you'll get a UAC prompt (cause it 's an elevated process)
and in the end, you'll have normal (non-elevated) tabs and elevated (admin) tabs in the same windows terminal app.

Also, to distinguish the tab from the regular PowerShell, here's an icon with red powershell
Powershell ico Files

Thanks to @PanosGreg for this tip!

FYI: If you're using Powershell 7.x (aka Powershell Core, pwsh) you'll want to use gsudo pwsh.exe

@ylluminate
Copy link

ylluminate commented Jun 6, 2021

Thanks so much for the gsudo pwsh.exe tip @PanosGreg - shame Microsoft doesn't work towards developer intuitiveness and needs like Apple once did (and now doesn't either).

Tip: after doing the above you have to also restart Terminal if you've had it running while installing Chocolatey + gsudo.

@oising
Copy link
Collaborator

oising commented Jun 11, 2021

shame Microsoft doesn't work towards developer intuitiveness and needs

@ylluminate This is completely unfounded and absolutely incorrect. Balancing intuitiveness/easy of use and security is a delicate dance, and one that Microsoft does far better in the last ten to fifteen years than Apple ever has. The reason you're seeing Apple leaning this way now too is that they too are coming to grips with this balance.

@ylluminate
Copy link

@oising after 30 years of experience in this area I'm allowed to disagree with you and could also demonstrably say that you're wrong with unequivocal refutation, but we'll stop this now before it get's too hot in here.

@oising
Copy link
Collaborator

oising commented Jun 11, 2021

@oising after 30 years of experience in this area I'm allowed to disagree with you and could also demonstrably say that you're wrong with unequivocal refutation, but we'll stop this now before it get's too hot in here.

You can disagree with me anyway you wish, but it's less convincing if you attempt to do so via argumentum ad verecundiam ;) Have a nice day.

@ylluminate
Copy link

@oising do you really want to do this here? I fully perceive you as doing exactly the same thing with regards to verecundiam and believe you made a baseless (sans foundational logic) statement.

@microsoft microsoft locked and limited conversation to collaborators Jun 11, 2021
@DHowett
Copy link
Member

DHowett commented Jun 11, 2021

we'll stop this now before it get's too hot in here.

This seems to be a classic tactic: firing another salvo while saying "This will be the last one -- I do not expect you to respond" is clearly bait and that sort of behavior is not one I'm ready to tolerate in my repository. If you want to have a disagreement, do so in a fundamental and evidence-based way.

This project wouldn't exist if we weren't working to address the needs of developers in our ecosystem. Refute that if you'd like, but we've gotten here against all the odds by making our case to the people in the company who would hear us.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Issue-Feature Complex enough to require an in depth planning process and actual budgeted, scheduled work. Product-Conpty For console issues specifically related to conpty Resolution-Duplicate There's another issue on the tracker that's pretty much the same thing.
Projects
None yet
Development

No branches or pull requests