3

I have found a few PowerShell elevate / sudo functions, but none of them seem to work well (in a "as intuitively and seamlessly as on every Unix and Linux distribution" way). They are mostly redundant as they don't work well. If someone has a seamlessly working elevate / sudo on PowerShell they'll know it.

The problems with the functions that I've seen are:

• They only work with external scripts by calling another instance of powershell.exe. i.e. If you want to do something as simple as sudo gci or sudo Get-ChildItem that will generate an error as the methods don't seem to like calling aliases or Cmdlet (for some reason!).

• You cannot seamlessly elevate the existing console session up to Administrator, and this seems to require that an elevate / sudo function opens a completely new console (seems cumbersome to have to open a new console for nothing!)?

Does anyone have a reliable elevate / sudo that they use? I don't expect it to be perfect, if there are good technical reasons why things like the above do not work (maybe to do with limitations of the PowerShell host itself not being capable enough) then that's fine, but it would be good to know how far we can get with a functional elevate / sudo within PowerShell. It's often a shame that, although PowerShell is massively more advanced than bash (and it's object manipulation capabilities blow away Python and Perl imo also), sometimes it seems like some of the most simple capabilities in Unix-land, like sudo, blow away what is possible in PowerShell - I'd love to see those gaps filled so that PowerShell can be shown to be every bit as capable as Unix (and more so!!) for a change.

YorSubs
  • 3,194
  • 7
  • 37
  • 60
  • 1
    "I'd love to see those gaps filled so that PowerShell can be shown to be every bit as capable as Unix". Ehh, I'm not quite sure where to start here - one is a command-line shell, the other is a family of operating systems. `sudo Get-ChildItem` doesn't make sense because `Get-ChildItem` is not an executable (like `ls` is on *nix). `sudo` works well in an environment where every command is hosted in its own process - ie. the opposite of what PowerShell is and does. Your question is akin to ask "Where's the `sudo` for {perl,python,c,ruby}?" - it doesn't make sense – Mathias R. Jessen Dec 28 '19 at 00:34
  • The comparison is clear. We can nitpick on definitions if you want, but when I said "Unix" the context being the various shells within unix-like operating systems was explicitly clear (see the rest of the text in my post). `sudo Get-ChildItem` makes perfect sense: does it not generate a process that runs? And that process can run in the context of a user or as an Administrator? You can pretend that I want an exact match but please see last paragraph: "I don't expect it to be perfect ...". Please don't fixate on that. Sudo-like behaviour on PowerShell is very appealing (and not just to me). – YorSubs Dec 28 '19 at 12:30
  • The other extremely appealing aspect of sudo-like behaviour is just normal interaction with the OS from the console. i.e. you are on the console and you have been doing some things, then you need to go into a restricted directory or open a file with Admin-only rights. It might not be appealing to you, but I have often seen people lamenting the lack of ability to just "su -" up to admin and continue working without having to open a different console session. – YorSubs Dec 28 '19 at 12:32

2 Answers2

3

Nothing native in the box of course, so, an apples/oranges comparison when talking sudo stuff with Windows.

Security boundaries/functionalities are just different, as well all know, and the sudo equivalent in Windows (and thus PowerShell) is RunAs and that will pop Windows UAC, no getting around that, without turning UAC off (don't do this) or setting up an AppCompat shim.

So, when you say functions, are you saying you have already tired these:

Find-Module -Name '*sudo*' | 
Select Name, Version, Type, Description

# Results
<#
Name   Version Type   Description                                                                            
----   ------- ----   -----------                                                                            
Sudo   2.1.0   Module Use functionality similar to sudo in PowerShell. GitHub: https://github.com/pldmgg/Sudo
PSSudo 1.4.0   Module Function for executing programs with adminstrative privileges 
#>

This type of question comes up a lot here and has been answered several times. So, are you saying, you tried the below?

How to sudo on powershell on Windows

Start-Process -Verb RunAs powershell.exe -Args "-executionpolicy bypass -command Set-Location \`"$PWD\`"; .\install.ps1"

Sudo !! equivalent in PowerShell

runas /user:domain\administrator $^

Is there any 'sudo' command for Windows?

doskey sudo= runas /user:Administrator "cmd /k cd \"%cd%\" & $*"

runas /noprofile /user:Administrator cmd

See also:

Support sudo #3232

5 Windows Alternatives to the Linux sudo Command

postanote
  • 15,138
  • 2
  • 14
  • 25
  • I'm already really liking the first Sudo module that you posted. Been searching on and off for a few months. Sometimes it's hard to know where to find things and I had not done a check on the PowerShell Gallery. I think your answer is an excellent summary and I think that these Modules are going to be ideal for me going forward thanks (as I said, I don't expect some kind of perfect comparison to sudo in Linux, but power users frequently jump between security contexts and I think it a missed opportunity that Microsoft did not include sudo functionality in PowerShell by default). – YorSubs Dec 28 '19 at 12:58
  • If you have chocolately I suggest to install sudo package with it. This is the link of package https://community.chocolatey.org/packages/Sudo – Lorenzo Morelli Sep 28 '21 at 14:10
2

gsudo is a sudo for Windows that behaves like Unix sudo (elevates a command or your cmd/ps shell in your current console windows). It works in Powershell, but with limitations: The elevated memory space can't share objects with the non-elevated one, so variables can't be shared, and some kind of marshalling of objects must be done. Currently gsudo does the most naive, but at least honest, marshalling: just strings can be passed to and from. You can pass a string literal with the command that needs to be elevated to gsudo. Then gsudo returns a string that can be captured, not powershell objects.

# Commands without () or quotes  
PS C:\> gsudo Remove-Item ProtectedFile.txt
or
PS C:\> gsudo 'Remove-Item ProtectedFile.txt'

# On strings enclosed in single quotation marks ('), escape " with \"
$hash = gsudo '(Get-FileHash \"C:\My Secret.txt\").Hash'
# For variable substitutions, use double-quoted strings with single-quotation marks inside
$hash = gsudo "(Get-FileHash '$file' -Algorithm $algorithm).Hash"
# or escape " with \""
$hash = gsudo "(Get-FileHash \""$file\"" -Algorithm $algorithm).Hash"

# Test gsudo success (optional):
if ($LastExitCode -eq 999 ) {
    'gsudo failed to elevate!'
} elseif ($LastExitCode) {
    'Command failed!'
} else { 'Success!' }

Or, you can just call gsudo to elevate your current shell, in Powershell:

PS C:\> gsudo
(Accept UAC popup)
PS (ADMIN) C:\> Remove-Item ProtectedFile.txt
PS (ADMIN) C:\> exit
PS C:\>
Gerardo Grignoli
  • 14,058
  • 7
  • 57
  • 68