Being able to use sudo
commands in CygWin is useful, and faster than opening an elevated shell:
Luis@Kenobi /cygdrive/c/Users/Luis
$ net user /add TestUser
System error 5.
Access denied.
Luis@Kenobi /cygdrive/c/Users/Luis
$ sudo net user /add TestUser
Command completed successfully.
As shown above, you can run Windows commands/scripts too, just as Linux. For me is neat; works on remote (SSH) consoles and allows to combine Windows/Linux commands. So being able to execute administrative tasks is nearly a must.
But the SUDO for CygWin project has a behavior that could be dangerous: it works as a server/client architecture, in fact, a client (sudo) send requests of commands to a server (sudoserver.py) at internal (not listening outside the local computer) port 7070TCP, with no user or permissions checking, so anyone (even unprivileged users) logged in onto the computer could execute admins (CygWin or Windows) shell commands or scripts (CygWin or Windows, too).
The problem gets worse if you keep the suggested method of the author: registering "sudoserver.py" as a service, so it will keep permanently running.
So, to maintain the things a bit more secure (not totally), I do:
1.- Execute "sudoserver.py" on an admin shell.
2.- Execute my "sudo" commands on another CygWin shell.
3.- Close (Ctrl+C) "sudoserver.py" and the admin shell.
A bit annoying. I am workarounding it using a .cmd
file with assigned hotkey that runs "sudoserver.py", and I am closing (manually) it after my administrative jobs, but still far from the classic "sudo" usability on Linux.
The great and practical way would be some method that:
- **Auto-opens "sudoserver.py" requesting for UAC Elevation Prompt (or user/password).
- Closes it after a while, so UAC requestion will not keep disturbing in case of several
sudo
commands executed sequentially.
Is there any way to automate this, at least partially?
Best Answer
I have programmed a simple Linux shell script that works (until now) on CygWin and helps (I hope) reducing the SUDO for CygWin time-attack interval. The program is named TOUACExt (acronym of "TimeOut and UAC Extension") and acts as a wrapper for SUDO for CygWin (required installed), and is really composed by a set of four
.sh
programs.Features:
sudo
commands will only generate one UAC request). As long as sudoserver.py keeps running (15 minutes default), there will be no more UAC requests./var/log/SUDOForCygWin/
.Requirements (in CygWin):
procps
package).util-linux
package).Assuming: - The two programs of the SUDO for CygWin project on the path suggested by the author:
TOUACExt have been tested working on Windows 7 SP1 and Windows XP SP3, but I don't know if it makes sense in using it on this last one.
Installation Instructions:
Put this script (suggested name:
SUDOServer.cmd
) and create a shortcut (you can personalize its icon if you want) to it namedSUDOServer.lnk
(you must enable on this shortcutAdvanced Options --> Execute as Administrator
) anywhere on your Windows path, sosudoserver.py
can be directly requested from Windows:c:\CygWin\bin\python2.7.exe /usr/local/bin/sudoserver.py
Put the four .sh scripts of TOUACExt on the path, for example:
/usr/local/bin/SUDO.sh /usr/local/bin/SUDOServer.sh /usr/local/bin/SUDOServerWatchDog.sh /usr/local/bin/SUDOServerWatchDogScheduler.sh
Rename the original Python script from
sudo
tosudo.py
:mv /usr/local/bin/sudo /usr/local/bin/sudo.py
WARNING: The original "sudo" Python script must not remain anywhere in your path, or it could be executed instead.
Create this alias (for example, manually or by editing your
~/.bashrc
):alias sudo='SUDO.sh'
Code for SUDO.sh:
Code for SUDOServer.sh:
Code for SUDOServerWatchDog.sh:
Code for SUDOServerWatchDogScheduler.sh:
Test the program from a CygWin Bash shell:
NOTE2: These scripts are in pre-beta release, so they are still buggy and the code is not very clean. Anyway, in my tests with three different Windows 7 computers they seem to be working (mostly) OK.
Brief explanation of the program:
SUDOServer.lnk
) "sudoserver.py" if needed.sudoserver.py
.To Do:
Reported Bugs:
exit
ifsudoserver.py
is running until it closes. Provisional workarounds are welcome.I hope someone will use the long hours programming I have dedicated to TOUACExt.
Enhancements and corrections accepted.
Suggestions about where should I go publishing the code to stop nagging this forum accepted too ;-) .
Sorry for the long post. I don't have much free time, and this project was about disappear on my closet (maybe for years, who knows?).