Sudo is a popular UNIX utility that allows users with "normal" privileges run certain programs as root (basically the UNIX equivalent to Administrator in Windows). Sudo allows the system administrator to restrict users to only run set programs, possibly without asking for a password for automation and convenience. UNIX system administrators are familiar with the concept of running with the least privileges required to accomplish any task.
Windows is moving in this direction as well, but more utilities are needed to help admins with the various day-to-day challenges they face. For example, some programs still require Administrator privileges, even if the purpose of the program has nothing to do with maintaining Windows. Most often this is caused by poor programming practices, and could easily be corrected if software developers would choose better methods to accomplishing their goals. The result of this is that users are forced to log in as an Administrator to run these programs. Since this is a major inconvenience, users will tend to just log in as an Administrator all of the time. With the advent of Windows XP, there is now built-in support for the "Run as" feature, allowing normal users to run one particular program with Administrator privileges. Unfortunately, this requires typing in the Administrator password every time they wish to run the program. This is still inconvenient at best.
This variant of sudo was created to overcome the existing inconveniences of logging in without Administrator privileges while running some particular programs with Administrator privileges. With sudo for windows, users can utilize the power of the "Run as" feature of Windows XP, but without having to type in a password to run commonly used programs. Some amount of security is maintained in that sudo will only allow set users to run predefined commands, much like the UNIX version of sudo.
Sudo for windows runs on Windows 2000 and Windows XP. You will require the .NET 2.0 framework in order to run the configuration utility. The .NET framework can obtained from Windows Update, or Microsoft's web site. As of right now, sudo for windows has only been tested on Windows 2000 Pro SP4 with all of the latest updates, as well as Windows XP Pro SP2 with all of the latest updates. If you are able run sudo for windows with any other service pack levels, please let me know. Sudo for windows will definitely not run on any version of Windows older than Windows 2000.
Sudo for windows is released under the GNU GPL version 2. That means you can use it free of charge. For more details, please read the full text of the GPL. You can download one of the following:
Version 1.1 (Current stable version)
New to this version:
Version 1.0 (Previous stable version)
Initial release.
After you install the package, you will find a link to the configuration utility in the Start Menu. When you run the configuration utility, you will be presented with a list of users on the local computer. Sudo for windows was designed to work with local users only. At the moment you cannot work with domain users, although it should be possible to add this feature in the future. Once you click on a user, you will be presented with a list of programs that the user can run through sudo. To add a program, right click on the right list and select Add. Find the program that you wish to add to the list. You can remove a program from the list by highlighting it, right clicking, and selecting Remove from the menu.
After you select a program on the programs list, you can use the command line text box to restrict what command line arguments can be passed the program. If the text box is blank, the user may run the program and pass any command line arguments to the program. If you enter any text for the command line, the arguments that user passes to sudo must match what is in the text box. You can use a * (asterisk) as a wildcard. To use a literal *, use \* (backslash asterisk). And for a literal \, use \\ (two backslashes).
For example, you could allow a user to run MMC.EXE (the Microsoft Management Console), but only if they use it to open compmgmt.msc (the standard Computer Management console). To do this, add MMC to the list of programs allowed. In the text box enter C:\windows\system32\compmgmt.msc. Or, similarly, to allow the user to run any of the standard consoles in the system32 folder, enter C:\windows\system32\*.msc.
Once sudo for windows has been configured to allow users to run certain programs, users can create standard Windows shortcuts to use the programs. Continuing on from the example above, the user (or system administrator, on the user's behalf) could make a shortcut to run MMC through sudo. To do this, one would create a shortcut to:
"C:\Program Files\Natmans\sudo For Windows\sudo.exe" C:\windows\system32\mmc.exe C:\windows\system32\compmgmt.exe
The quotes around the path to sudo are important. Also, the path may be different depending on what folder sudo is installed in. Notice that this is like creating a normal shortcut to MMC, except we preface it with the path to sudo.exe. Unfortunately, the icon for the shortcut may not always look "correct", so you may wish to change the icon to something other than the standard Windows icon. When the user launches the shortcut, sudo will run the specified program under the Windows account called "sudo-Admin", and the user can interact with the program like normal.
You can also add the folder where sudo.exe is located into your PATH environment variable, so that from a command prompt you can type sudo path_to_run.
There are two main security considerations when using sudo for windows. Of course, the standard considerations apply, such as only allow trusted users to run privileged programs, but that should be fairly obvious. The more important issue is that most useful programs will allow a user to load or save files, thus allowing the user to run other programs with Administrator privileges – which perhaps was not an intended outcome. This is because programs usually utilize the Windows Common Dialogs, and these dialogs allow the user to browse for an executable program, right click on it, and select "Open". So, system administrators need to understand that granting access to one program is equivalent to granting Administrator access to the entire computer. The feature of restricting what programs can be run through sudo is more to prevent automated attacks on the system than to restrict real users.
In short, the important thing to know is that if a user can run programs through sudo, they can do just about anything that someone with the Administrator password can, even if that was not the intended result. That said, the Run As feature in Windows XP suffers from the same issues, so using sudo is no worse than using Run As.
For those who may be interested, one precaution that is taken to help reduce security risks is that the password for the sudo-Admin account is randomly chosen when the sudo service starts (at least every reboot). Thus the sudo-Admin password for one machine will be different from the sudo-Admin password for another. One other precaution that is taken is that no one can log in as the sudo-Admin account over a network, even with the correct password. This access has been explicitly denied using Windows security policies.
The author of sudo for windows is Nathan Friess. You can reach me at nfriess AT ucalgary.ca. If you find this program useful, or have any suggestions for improvements, please drop me an email. It is always nice to know when others find my work useful.
© 2005-2008 Nathan Friess. All rights reserved.