-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When running elevated, use non-elevated processes unless required #942
Comments
Hi @henrygab The reason why PowerToys runs elevated, is to be able to interact with elevated windows and to process keyboard and mouse events when the active window is elevated. |
@DHowett-MSFT here is the thread i was referring to. |
@enricogior -- Two questions below... I now understand that you are going to enable the entire powertoys app to run non-elevated. Q1. Can you point me to the issue that is tracking this, so I can get notification when it closes? I admit that I'm also surprised that each powertoy is not isolated from the others via a separate process. It just seems like it'd make it much harder to track down issues if there's ever a bug that causes memory or stack corruption, not to mention the inability to remove unneeded privileges of those processes. Q2. Should I open a new issue to track the feature request of running each powertoy in its own, privilege-reduced process? |
Q1. This has already be done 619ed23 Q2. Spawning one process for each PowerToy would require to redesign from scratch the current PowerToys main process, it's not something we would consider doing in the near future given is arguably an improvement. We may reconsider it in the future. But feel free to open the issue to have a public discussion. To give you some motivations why it wouldn't be necessary an improvement:
|
@enricogior -- Thanks for the answers. Necessity depends on the view of the user. Given the default is to run as administrator, and it's an all-or-nothing choice, it forces the user to fully trust all the modules. Your viewpoint of "if there is no known security concern, then it is OK to run everything with full administrator privileges" is, bluntly, in direct contradiction of secure development lifecycle (SDL) best practices. Code should run in the minimum security context necessary to get its own job done. As it appears that you are arguing against this best practice, then I am simply left perplexed. I will step away from this discussion for a while, as I do not feel I can contribute to a productive result. |
In the next release the default will be to run non-elevated. |
Summary of the new feature/enhancement
If started with elevated privileges, load individual powertoys in either an elevated process, or one with restricted tokens (non-elevated), based on the individual powertoys feature requirements (and user configuration override?).
Problem
Some powertoy capabilities (FancyZones, etc.) cannot work with elevated applications, unless powertoys is itself elevated. However, this means every powertoy gets elevated privileges, which unnecessarily increases attack surface / raises risks for any bugs.
A user could selectively enable which powertorys run in the process with elevated privileges. This means that, even if running elevated, only a smaller subset has full system access.
Proposed technical implementation details (optional)
See Stackoverflow post from 2016, for one way to remove administrative privileges.
There's also a Microsoft blog post from 2013 describing a second way.
Longer-term, and related to #938, each PowerToy could describe the privileges needed, and the runner could drop the non-necessary privileges when creating the process for that PowerToy...
The text was updated successfully, but these errors were encountered: