gsudo
gsudo copied to clipboard
gerardog
Gsudo in batch script
Have large batch script, it uses a lot of external command line utilities. At script beginning have such declaration
"%binpath%\gsudo.exe" cache on
"%binpath%\gsudo.exe" config CacheDuration 00:15:00
But later in script, usage of
"%binpath%\gsudo.exe" program.exe parameters
still cause UAC prompt. Not sure if all of them, but some of them for sure. Expect gsudo in cache mode elevate script and all its child processes. Am I mis something?
version is 1.3.0
Just found an extended documentation of gsudo and change ma declaration in following manner but it does not help
"%binpath%\gsudo.exe" cache on
"%binpath%\gsudo.exe" config CacheMode auto
"%binpath%\gsudo.exe" config CacheDuration 00:15:00
Are you using Windows 8.1 or lower? If so, sorry but this is a known issue.
Could you create a Minimal reproducible example please?
As a workaround I would suggest your batch script auto-elevate once:
@echo off
::Self-elevate batch script.
gsudo status | findstr /C:"Admin: True" 1> nul 2>nul && goto :IsAdmin
echo You are not admin. Elevating using gsudo.
gsudo "%~f0"
exit /b %errorlevel%
:IsAdmin
echo You are admin. Do admin stuff now.
Its a large and very complex script, depend on many external binaries. Will try to separate a piece which will demonstrate the problem far enough
Yes, please do. I tried it and ;ooks like after ´gsudo cache on´. it returns immediately, even before the actual cache has finished starting,... So an immediate gsudo call after cache on may fail to find the active cache. A 1 second delay after cache on fixes the issue.
Finaly, its here. This script display elevation prompt twice. Hope this help you
@echo off
::
set "binpath=C:\work\bazmek\support"
::
"%binpath%\gsudo.exe" -k
::
"%binpath%\gsudo.exe" cache on
"%binpath%\gsudo.exe" config CacheMode auto
"%binpath%\gsudo.exe" config CacheDuration 00:15:00
::
::
%binpath%\gsudo.exe dism /online /get-featureinfo /featurename:TelnetClient
- There is a problem with
gsudo cache on, it returns too fast, before the cache has started completely, so a delay of 1 second may work until I figure out how to fix the issue. - Changing the
CacheDurationinvalidates all caches by design. This is the only way to enforce the policy change. I would refrain from doing that inside a batch script.
try comment out the last line, it reduce elevations to only one. So the last line play main role here...
I wouldn't change the CacheMode inside a batch script either. The cache on should suffice to prevent additional popups, if CacheMode is set to auto or the default explicit. Only would fail if it is disabled. And in that case, you may check the errorlevel of gsudo cache on to see if it works, for example:
gsudo cache on
if errorlevel 1 Echo Unable to start a gsudo session & exit /b
gsudo doStuff1
gsudo doStuff2
try comment out the last line, it reduce elevations to only one. So the last line play main role here...
Exactly, try it this way:
@echo off
::
set "binpath=C:\work\bazmek\support"
::
"%binpath%\gsudo.exe" -k
::
"%binpath%\gsudo.exe" cache on
if errorlevel 1 Echo Unable to start a gsudo session & exit /b
:: Fix delay issue
waitfor delay /t 1 2> null
:: don't do this. "%binpath%\gsudo.exe" config CacheMode auto
:: don't do this. "%binpath%\gsudo.exe" config CacheDuration 00:15:00
::
%binpath%\gsudo.exe dism /online /get-featureinfo /featurename:TelnetClient
%binpath%\gsudo.exe dism 2
%binpath%\gsudo.exe dism 3
OK, this work. what will be duration of cache? AFAIK default is 5min, but whan I want more in my script?
Think of it as in Unix world, a script wouldn't change sudo config. This should be same.
Cache duration is a User setting, not a script setting. It mandates how much time its not safe for the user to leave the computer unattended. A script wouldn't change that.
Default Cache duration is 5 minutes, but is a persistent config setting. So if you set it to 15 minutes once, that setting will stay fixed until reconfigured.
I'm guessing maybe your batch files are setting the CacheDuration often, thus invalidating the cache, so seeing more popus.
If your script needs to elevate for several minutes, instead you can make the batch file auto-elevate itself using gsudo...
@echo off ::Self-elevate batch script. gsudo status | findstr /C:"Admin: True" 1> nul 2>nul && goto :IsAdmin echo You are not admin. Elevating using gsudo. gsudo "%~f0" if errorlevel 999 Echo failed to elevate exit /b %errorlevel% :IsAdmin echo You are admin. Do admin stuff now.
... same as any installer... For example, if you install Microsoft Office, it just elevates once and then the install can take many minutes.
Also, the cache duration is the time between gsudo commands, so (assuming cache duration in default 5 minutes) you can call several times something like gsudo do something for 10 minutes with just one popup. You would need to wait 5 minutes AFTER the previous gsudo command finished to see an additional popup.
-
gsudo do something for 10 minutes-> shows popup -
gsudo do something for 10 minutes-> no popup -
gsudo do something for 10 minutes-> no popup - wait 5 minutes
-
gsudo do something for 10 minutes-> shows popup.
my script is not a batch file in what word 'batch' means. It a complex o menus full of specific commands (actually more than 2000 lines of code). The command starting windows console programs or batch of programs. People coud stay in some menu tens of minutes (or even more), before press a key to continue. My intend is a program user facing elevating prompt only once, on program start. This should elevate parent console process and all possibly later called console programs inherit elevated permissions from parent console, but maybe I am misunderstand program concept.
BTW: I the beginning of program there is a "user customizable" area, where users could set some program behaviour settings. Plan to make 'elevation_time' as a one of this customizabled items (with explanation of possible risks). At the termination routine performing 'gsudo.exe -k', but this does not employ when someone terminate script by CTRL+C
My intend is a program user facing elevating prompt only once, on program start.
What do you think about elevation on script start? Specifically the auto-elevate script I shared above. That would be only one popup. In a more complex script, you could make those features that require elevation, to auto-elevate the script and continue from there, for example:
- Screen Menu: Please Enter 1, 2 (requires admin) or 3 (requires admin)
- User enters: 2
- Script auto elevates passing option "2" to itself, like:
gsudo myscript.bat 2 - Then the elevated script runs 2 and goes back to the menu.
But, after elevating once, if user then select now option 1, it will run elevated... (unless gsudo -i medium Command1)
But OMG... How could I forget about a feature I coded myself? the cache on command accepts a duration parameter.
gsudo cache on -d 00:15:00 for 15 minutes.... (HH:MM:SS format). Also gsudo cache on -d -1 for keep cache indefinitely (not recommended from a security standpoint).
Use gsudo cache -h for more verbose help.
But OMG... How could I forget about a feature I coded myself? the
cache oncommand accepts a duration parameter.gsudo cache on -d 00:15:00for 15 minutes.... (HH:MM:SSformat). Alsogsudo cache on -d -1for keep cache indefinitely (not recommended from a security standpoint).
That is exactly what I had in my script (check my second post in this thread), but later you wrote me 'dont do this' So it look like like a bit mess ;-)
Seems "%binpath%\gsudo.exe" cache on -p 0 -d 00:15:00 at the beginning of script solve problem. Will observe situation and will write if some problem arise.
thanks for your assistance
You are welcome. Is '-p 0' really needed to avoid additional popups in your script?
You are welcome. Is '-p 0' really needed to avoid additional popups in your script?
No, dont need it. Without it works fine