Crates.io | deelevate |
lib.rs | deelevate |
version | 0.2.0 |
source | src |
created_at | 2020-12-18 03:40:31.196404 |
updated_at | 2022-03-17 23:28:09.15703 |
description | Drop privileges on Windows |
homepage | |
repository | |
max_upload_size | |
id | 324201 |
size | 99,535 |
This repo is the home of EleDo (and NormDo), utilities that allow switching privilege levels from the command line on Windows 10 and later.
The core privilege shifting code is also available as a Rust crate and a small C library to make it possible for an console based application to to detect and adjust its privilege level.
While this repo is named for the privilege elevation aspect, it originally started life with the goal of reducing privileges to "normal" levels.
In some cases you need a higher level of access than is normal; for example, to install software or make system configuration. This is not new; most users will use the "Run as Administrator" option for a powershell session and run their commands that way, leaving the privileged session open for convenience, mixing commands and running most of them with higher privileges than are strictly required.
Users coming from unix systems generally prefer not to do this and instead use
a utility known as sudo
(Super-User Do) to run a specific command with
increased privileges.
This repo provides eledo.exe
as a workalike to sudo
; it will attempt to
increase privileges using the User Account Control mechanism built in to
Windows to prompt the user to confirm that it should run with increased
privileges.
This repo also provides normdo.exe
(Normal User Do) that works in the
opposite way, dropping privileges back to normal levels to run a command.
This functionality is important for security-minded code that wishes to
run with lower (if not least!) privilege regardless of the privilege level
of the code that invoked it.
There are two logical halves to this crate;
use deelevate::{Token, PrivilegeLevel};
let token = Token::with_current_process()?;
match token.privilege_level()? {
PrivilegeLevel::NotPrivileged => {
// No special privs
}
PrivilegeLevel::Elevated => {
// Invoked via runas
}
PrivilegeLevel::HighIntegrityAdmin => {
// Some other kind of admin priv.
// For example: ssh session to Windows 10 SSH server
}
}
use deelevate::spawn_with_normal_privileges;
use deelevate::spawn_with_elevated_privileges;
// If we have admin privs, this next line will either spawn a version
// of the current process with reduced privs, or yield an error trying
// to do that.
// The spawn_with_elevated_privileges function works similarly, except
// that it will only return when the calling process has elevated
// privs.
spawn_with_normal_privileges()?;
// If we reach this line it is because we don't have any special privs
// and we can therefore continue with our normal operation.
The show
example demonstrates testing for the privilege level.
The spawn
example demonstrates re-executing the process at a lower priv level.
There are some privilege levels that are not mapped as privileged from the perspective of this crate. The rationale for this is that those levels are unusual enough that they are probably not humans and probably should not have this crate adjusting the privilege level.
It may feel like this might be a security concern, but its worth noting that:
This crate provides normdo.exe
for running a command with normal privileges,
and eledo.exe
for running a command with elevated privileges. Unlike other
elevation solutions, both of these utilities are designed to run from inside
a console and to keep the output from the target application in that console.
In addition, these tools use the PTY APIs in order to support running terminal
applications such as pagers and editors (vim.exe!) correctly!
Both of these tools require that the eledo-pty-bridge.exe
be installed
alongside them, or otherwise be in the PATH. The bridge process is required
to host the PTY and spawn the program in the alternatively privileged
context.
eledo.exe
Runs a program with elevated privs
eledo.exe PROGRAM [ARGUMENTS]
eledo.exe
will check to see if the current context has admin privileges;
if it does then it will execute the requested PROGRAM
directly, returning
its exit status.
Otherwise, eledo.exe
will arrange to run the program with an elevated PTY
that is bridged to the current terminal session. Elevation requires that the
current process be able to communicate with the shell in the current desktop
session, and will typically trigger a UAC prompt for that user.
> eledo.exe whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
normdo.exe
Runs a program with normal privs
normdo.exe PROGRAM [ARGUMENTS]
normdo.exe
will check to see if the current context has admin privileges;
if it does not then it will execute the requested PROGRAM
directly, returning
its exit status.
Otherwise, eledo.exe
will arrange to run the program with a Normal user token
with Medium integrity level, dropping/denying the local administrator group
from the current token. The program will be run in a PTY that is bridged to
the current terminal session.
> normdo.exe whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
The elevator icons embedded into the utilities were made by Pixel perfect from www.flaticon.com