microsoft
You are not allowed to run sudo
Sudo for Windows version
1.0.0
Windows build number
10.0.20348.2582
Other Software
No response
Steps to reproduce
On Windows Server 2022, in an Administrator cmd.exe window,
sudo c:\windows\system32\cmd.exe
Expected Behavior
Expect cmd to run
Actual Behavior
Got "You are not allowed to run sudo" instead.
That error message is specific to when the user is not a member of the admins group:
https://github.com/microsoft/sudo/blob/5fd6a797213642061898b8f0ec4fee46ff82d5bc/sudo/src/helpers.rs#L181-L185 https://github.com/microsoft/sudo/blob/5fd6a797213642061898b8f0ec4fee46ff82d5bc/sudo/src/main.rs#L343-L347 https://github.com/microsoft/sudo/blob/5fd6a797213642061898b8f0ec4fee46ff82d5bc/sudo/src/main.rs#L311-L313
Are you either:
- running with over-the-shoulder elevation (where your local user account isn't an admin, and you're running
cmdas another admin user)? - Running with UAC entirely disabled?
As mentioned, this was the "Administrator" account, and it's a member of Administrators. UAC is totally disabled, set at "Never notify"
UAC is totally disabled, set at "Never notify"
I'm betting that's what it is. I'd guess what's happening here is the same thing Terminal had to deal with - there's a difference between running elevated with a split token, vs the "UAC entirely disabled" scenario. Heck, right above that, there's even:
https://github.com/microsoft/sudo/blob/5fd6a797213642061898b8f0ec4fee46ff82d5bc/sudo/src/helpers.rs#L116-L124
Looks like that check doesn't happen till after the can_current_user_elevate one. That should be easy enough for someone to rearrange the ordering of.
I dunno if I can comment on the big-picture "is UAC disabled supported". I suppose it should be, at least from the perspective of sudo. Seems like it'd be easy enough for us to just shortcut the "can you elevate" and just do the thing (even tho you don't need sudo at all at that point)
@zadjii-msft Was referring to sudo running on Windows Server 2022. I thought sudo was only targeting newer versions.
Oh yea I don't see why not. Sudo might be "targeting" newer versions, but it should work all the way back to, like, windows 7:
- https://nitter.privacydev.net/TheBobPony/status/1755846334337142912
- https://winaero.com/sudo-for-windows-11-actually-runs-on-windows-10-and-windows-7/
All it really needs is ConDrv, and that's been there for a loooong time now. Only reason we haven't backported it to win10 yet is because backporting takes a lot of paperwork to fill out 🤷
Cool thanks! I was looking to pitch in a fix here but wanted to verify running in this config was supported before I spun my wheels.
I know this is NOT simply the Windows implementation of sudo as known from Linux systems, but in this case calling it "sudo for Windows" seems to be a misuse at best. As per the Wikipedia article on sudo: "[sudo] enables users to run programs with the security privileges of another user, by default the superuser".
In this case it allows admin users (superusers) run application in the elevated context. It should be called "command line UAC" or something similar, which would be far more accurate. Unless there is a plan to make the Windows "sudo" a real sudo implementation for Windows with all (or at least core) the features.
That discussion was had in https://github.com/microsoft/sudo/discussions/23 and is unrelated to this issue.
I encountered the same situation: I used the administrator account created when installing Windows to open PowerShell (even if it was an administrator's PowerShell) Still prompting that you are not allowed to run sudo
