Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run with highestAvailable Execution Level by default #1054

Closed
ferventcoder opened this issue Nov 15, 2016 · 10 comments
Closed

Run with highestAvailable Execution Level by default #1054

ferventcoder opened this issue Nov 15, 2016 · 10 comments

Comments

@ferventcoder
Copy link
Member

ferventcoder commented Nov 15, 2016

Update 20170606

We have flipped this functionality back to asInvoker with 0.10.7 - see #1324 for details, join the discussion at #1307.


See #1054 (comment) for the way to set it back if you need the older functionality.

Where This Applies

HighestAvailable Execution does a good job of only asking for elevation when an administrator is not in an administrative command shell, and only in that scenario. Everything else just continues to work as it normally does.

To be sure it is clear how elevation works in highestAvailable, let's understand the scenarios when elevation will be requested:

  • [ ] Admin account in elevated shell
  • [ ] Non-administrative account
  • [ ] SYSTEM account
  • [ ] Built-in administrator account on Server SKUs
  • [ x ] Administrator in an non-elevated shell

What about existing automation? Would it need to be changed for this?

Most likely all existing automation is likely to already be okay with highestAvailable anyway based on the scenarios above. Most likely you are either using SYSTEM, a non-admin account, or using an admin with an administrative shell so it doesn't get hit by UAC for other things anyway.

Summary

Try adding an app manifest that will set require admin permissions to see if it overrides the internal file.

Add app.manifest for Chocolatey. When you run Chocolatey, it will ask you to run as administrator if you are an administrator. Unfortunately it doesn't appear you can override this setting with a local manifest file next to the application AND a merged manifest (I could be wrong on this, but I didn't see a way).

Notes

One longstanding request with Chocolatey was to have it always request admin privileges before running. This has been a hope that it would cut down on the accidental runs of Chocolatey in a command shell that is not elevated and needing to open on that was. This UAC (User account control) setting is handled by something called an application manifest (app.manifest). We had it set to "asInvoker", or run with the context of the user that ran the command. We've moved this to "highestAvailable", which means if you are a non-admin, it will just run under your context, but if you are an admin in a non-elevated shell, it will ask for elevated permissions to run. There is also "requireAdministrator", which locks execution down to administrators only.

Moving to "highestAvailable" allows for that asking of privileges that you are used to, up front before it runs. However one additional thing we did here was give you more control over this setting now. We used to embed the app manifest into choco.exe. We now set it next to choco.exe (base install under $env:ChocolateyInstall, you will find choco.exe.manifest) so you have more freedom to adjust those execution levels as you see fit. There is one catch, you will need to do it on every install/upgrade of Chocolatey until #1206 is implemented.

@ferventcoder
Copy link
Member Author

ferventcoder commented Nov 15, 2016

Instructions for non-admin installation will need to be added as well to remove this file.

ferventcoder added a commit that referenced this issue Jan 21, 2017
Ensure that Chocolatey runs with administrative context every time when
an administrative user is running Chocolatey.
ferventcoder added a commit that referenced this issue Jan 21, 2017
* stable:
  (version) 0.10.4-beta1
  (GH-1054) Ensure Admin Runs w/Admin Context
  (GH-1147) Sync - Ensure machine parseable output
  (GH-1010) Do Not Catch Text File Error
  (GH-1012) Remove "IsText" File Before Check
  (GH-1146) Aliases - Install-ChocolateyVsixPackage
  (GH-1145) Better Logs On Licensed Dll Failures
Apteryx0 pushed a commit to Apteryx0/choco that referenced this issue Jan 23, 2017
Ensure that Chocolatey runs with administrative context every time when
an administrative user is running Chocolatey.
@ferventcoder ferventcoder changed the title Handle ensuring administrative permissions Run with highestAvailable Execution Level Feb 27, 2017
@ferventcoder
Copy link
Member Author

If this becomes undesirable for some folks, we may need to shift this around a bit for the next version.

@jberezanski
Copy link

Yes, this will be undesirable. I wouldn't want choco to prompt for elevation each time I run a query command (info, list etc.).

@ferventcoder
Copy link
Member Author

Will only happen if your prompt is not elevated

@ferventcoder
Copy link
Member Author

@jberezanski still an issue considering it only prompts if you are an admin in a non-elevated context? ^^

I'm assuming this was already understood though so likely. ?

@jberezanski
Copy link

Most of my command prompts are non-elevated (this adds safety from fat fingers and security from unexpected actions performed by binary tools downloaded from the net). When I want to run something with admin rights, I just put elevate in front of the command.

So yes, still an issue.

Ideally, choco would ask for elevation only when processing one of the commands that really requires it, such as install (but only when $Env:ChocolateyInstall is not writable already).

@ferventcoder
Copy link
Member Author

Perhaps there is a way to ensure you won't have issues - still exploring this.

@ferventcoder ferventcoder reopened this Feb 28, 2017
ferventcoder added a commit that referenced this issue Mar 22, 2017
If an app.manifest is embedded in an assembly, you can not override it
at all with a local manifest created next to it. However there is one
scenario that does allow for it to be adjusted, set the file outside
next to the executable to control the behavior of the assembly.

This allows it to be adjusted when folks need to control the behavior
of Chocolatey to suit their needs. This is a compromise to ensure good
default behavior with the ability to adjust it when necessary.
ferventcoder added a commit that referenced this issue Mar 22, 2017
Document requestedExecutionLevel and how each applies and changes the
behavior of Chocolatey. Note that folks will need to do this every time
they upgrade until GH-1206 is implemented.
@ferventcoder
Copy link
Member Author

ferventcoder commented Mar 22, 2017

Okay found a way. We really need the behavior for most folks to ask that they run with the highest privileges they have. It will also help reduce support tickets and otherwise.

However a good compromise is externalizing the app manifest that Chocolatey uses so that you can decide what to change it to yourself. Also added a lot of documentation here to help folks make the best decision. However there is a catch. Not a big one, but it may be a bit annoying if you do want to change the value - you will need to do it every time you upgrade until #1206 is implemented.

  • Find $env:ChocolateyInstall and open that folder.
  • There is a choco.exe.manifest file. Open the file.
  • Change the line <requestedExecutionLevel> to use asInvoker.
  • Save the file and exit the editor.
  • You may also need to change the modified date on choco.exe so Windows will pick up the change.

NOTE: This sets choco.exe back to the way it worked in older versions. This means that there is no elevation when starting choco.exe or any of its shims like cpack.exe, clist.exe, etc.

@jberezanski
Copy link

It's a reasonable compromise. Hopefully one day Choco will get smart enough to ask for elevation only for actions which require it.

@ferventcoder
Copy link
Member Author

It's a reasonable compromise. Hopefully one day Choco will get smart enough to ask for elevation only for actions which require it.

There are some really complex ways to handle this now, and none of them seem beneficial for the amount of work required to do so (think git model, where every action is its own binary).

@ferventcoder ferventcoder changed the title Run with highestAvailable Execution Level Run with highestAvailable Execution Level by default Mar 22, 2017
ferventcoder added a commit that referenced this issue Mar 22, 2017
* stable:
  (GH-1203) Ensure PowerShell uses CRLF
  (GH-1200) Export built-in functions early
  (maint) Update NuGet.Core
  (maint) update scenarios
  (GH-1054) Document requested execution levels
  (GH-1054) Externalize the app.manifest
vexx32 added a commit to vexx32/choco that referenced this issue Feb 27, 2023
Previously we only ran backups and beforeModify scripts on the target
package(s) and not their dependencies.

This change should ensure we are _always_ running backups on any
existing packages from a NuGet source before we try to modify them in
any way. Additionally, this should ensure we can run the beforeModify
scripts for ALL dependencies of the target package(s).
vexx32 added a commit to vexx32/choco that referenced this issue Feb 28, 2023
Previously we only ran backups and beforeModify scripts on the target
package(s) and not their dependencies.

This change should ensure we are _always_ running backups on any
existing packages from a NuGet source before we try to modify them in
any way. Additionally, this should ensure we can run the beforeModify
scripts for ALL dependencies of the target package(s).
vexx32 added a commit to vexx32/choco that referenced this issue Feb 28, 2023
Previously we only ran backups and beforeModify scripts on the target
package(s) and not their dependencies.

This change should ensure we are _always_ running backups on any
existing packages from a NuGet source before we try to modify them in
any way. Additionally, this should ensure we can run the beforeModify
scripts for ALL dependencies of the target package(s).
vexx32 added a commit to vexx32/choco that referenced this issue Feb 28, 2023
Previously we only ran backups and beforeModify scripts on the target
package(s) and not their dependencies.

This change should ensure we are _always_ running backups on any
existing packages from a NuGet source before we try to modify them in
any way. Additionally, this should ensure we can run the beforeModify
scripts for ALL dependencies of the target package(s).
vexx32 added a commit to vexx32/choco that referenced this issue Feb 28, 2023
Previously we only ran backups and beforeModify scripts on the target
package(s) and not their dependencies.

This change should ensure we are _always_ running backups on any
existing packages from a NuGet source before we try to modify them in
any way. Additionally, this should ensure we can run the beforeModify
scripts for ALL dependencies of the target package(s).
vexx32 added a commit to vexx32/choco that referenced this issue Feb 28, 2023
Previously we only ran backups and beforeModify scripts on the target
package(s) and not their dependencies.

This change should ensure we are _always_ running backups on any
existing packages from a NuGet source before we try to modify them in
any way. Additionally, this should ensure we can run the beforeModify
scripts for ALL dependencies of the target package(s).
vexx32 added a commit to vexx32/choco that referenced this issue Feb 28, 2023
Previously we only ran backups and beforeModify scripts on the target
package(s) and not their dependencies.

This change should ensure we are _always_ running backups on any
existing packages from a NuGet source before we try to modify them in
any way. Additionally, this should ensure we can run the beforeModify
scripts for ALL dependencies of the target package(s).
vexx32 added a commit to vexx32/choco that referenced this issue Mar 1, 2023
Previously we only ran backups and beforeModify scripts on the target
package(s) and not their dependencies.

This change should ensure we are _always_ running backups on any
existing packages from a NuGet source before we try to modify them in
any way. Additionally, this should ensure we can run the beforeModify
scripts for ALL dependencies of the target package(s).
vexx32 added a commit to vexx32/choco that referenced this issue Mar 1, 2023
Previously we only ran backups and beforeModify scripts on the target
package(s) and not their dependencies.

This change should ensure we are _always_ running backups on any
existing packages from a NuGet source before we try to modify them in
any way. Additionally, this should ensure we can run the beforeModify
scripts for ALL dependencies of the target package(s).
vexx32 added a commit to vexx32/choco that referenced this issue Mar 8, 2023
Previously we only ran backups and beforeModify scripts on the target
package(s) and not their dependencies.

This change should ensure we are _always_ running backups on any
existing packages from a NuGet source before we try to modify them in
any way. Additionally, this should ensure we can run the beforeModify
scripts for ALL dependencies of the target package(s).
vexx32 added a commit to vexx32/choco that referenced this issue Mar 10, 2023
Previously we only ran backups and beforeModify scripts on the target
package(s) and not their dependencies.

This change should ensure we are _always_ running backups on any
existing packages from a NuGet source before we try to modify them in
any way. Additionally, this should ensure we can run the beforeModify
scripts for ALL dependencies of the target package(s).
vexx32 added a commit to vexx32/choco that referenced this issue Mar 10, 2023
Previously we only ran backups and beforeModify scripts on the target
package(s) and not their dependencies.

This change should ensure we are _always_ running backups on any
existing packages from a NuGet source before we try to modify them in
any way. Additionally, this should ensure we can run the beforeModify
scripts for ALL dependencies of the target package(s).
vexx32 added a commit to vexx32/choco that referenced this issue Mar 13, 2023
Previously we only ran backups and beforeModify scripts on the target
package(s) and not their dependencies.

This change should ensure we are _always_ running backups on any
existing packages from a NuGet source before we try to modify them in
any way. Additionally, this should ensure we can run the beforeModify
scripts for ALL dependencies of the target package(s).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants