Sudowin

From WPKG | Open Source Software Deployment and Distribution
Jump to: navigation, search

Sudowin is an implementation of sudo for Microsoft Windows.

Documentation on the Sourceforge page is non-existent however it can be found in PDF format here

Whilst many users find RUNAS works for them I find it problematic and Sudowin is much better for providing high needs users with a way to perform actions with escalated privileges when necessary but run their Windows session as an unprivileged user.

Add users to the Sudoers local group which is created on install, otherwise you must manually specify them in the sudoers.xml file located in %PROGRAMFILES%\Sudowin\Server, you will need to read the documentation to implement properly but you can get a basic setup going quickly.

This package relies on SetACL

<?xml version="1.0" encoding="UTF-8"?>

<packages>

<package
      id="sudowin"
      name="Sudo for Windows" 
      revision="2" 
      reboot="false" 
      priority="10">
 
	<check type="uninstall" condition="versiongreaterorequal" path="Sudo for Windows" value="0.2.0"/>
 
	<install cmd='msiexec /qn /i "%SOFTWARE%\sudowin\sudowin-bin-0.4.2-r208.msi"' />
	<!-- Now remove inheritable permissions on sudo.exe, give app_sudowin read and execute and remove local users and power users from acl -->
	<install cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Console\sudo.exe" -ot file -actn setprot -op "dacl:p_c"' />
	<install cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Console\sudo.exe" -ot file -actn ace -ace "n:yourdomain\app_sudowin;p:read_ex"' />
	<install cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Console\sudo.exe" -ot file -actn trustee -trst "n1:%COMPUTERNAME%\Users;ta:remtrst;w:dacl"' />
	<install cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Console\sudo.exe" -ot file -actn trustee -trst "n1:%COMPUTERNAME%\Power Users;ta:remtrst;w:dacl"' /> 
	<!-- And do as above for the Sudowin GUI -->
	<install cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Gui\Sudowin.Clients.Gui.exe" -ot file -actn setprot -op "dacl:p_c"' />
	<install cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Gui\Sudowin.Clients.Gui.exe" -ot file -actn ace -ace "n:yourdomain\app_sudowin;p:read_ex"' />
	<install cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Gui\Sudowin.Clients.Gui.exe" -ot file -actn trustee -trst "n1:%COMPUTERNAME%\Users;ta:remtrst;w:dacl"' />
	<install cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Gui\Sudowin.Clients.Gui.exe" -ot file -actn trustee -trst "n1:%COMPUTERNAME%\Power Users;ta:remtrst;w:dacl"' />
	<!-- Copy our sudoers.xml to the PC -->
	<install cmd='%comspec% /c xcopy /R /Y "%SOFTWARE%\sudowin\sudoers.xml" "%PROGRAMFILES%\Sudowin\Server\"'/>
	<!-- Remove the Start Menu entry -->
	<install cmd='%COMSPEC% /c rmdir /q /s "%AllUsersProfile%\Start Menu\Programs\Sudo for Windows"'/>
 
	<!-- To upgrade we first stop the service -->
	<upgrade cmd='%COMSPEC% /c net stop Sudowin' ><exit code="0" /><exit code="2" /></upgrade>
	<!-- then force reinstallation of the msi -->
	<upgrade cmd='msiexec /qn /fa "%SOFTWARE%\sudowin\sudowin-bin-0.4.2-r208.msi"' />
	<!-- Now remove inheritable permissions on sudo.exe, give app_sudowin read and execute and remove local users and power users from acl -->
	<upgrade cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Console\sudo.exe" -ot file -actn setprot -op "dacl:p_c"' />
	<upgrade cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Console\sudo.exe" -ot file -actn ace -ace "n:yourdomain\app_sudowin;p:read_ex"' />
	<upgrade cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Console\sudo.exe" -ot file -actn trustee -trst "n1:%COMPUTERNAME%\Users;ta:remtrst;w:dacl"' />
	<upgrade cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Console\sudo.exe" -ot file -actn trustee -trst "n1:%COMPUTERNAME%\Power Users;ta:remtrst;w:dacl"' /> 
	<!-- And do as above for the Sudowin GUI -->
	<upgrade cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Gui\Sudowin.Clients.Gui.exe" -ot file -actn setprot -op "dacl:p_c"' />
	<upgrade cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Gui\Sudowin.Clients.Gui.exe" -ot file -actn ace -ace "n:yourdomain\app_sudowin;p:read_ex"' />
	<upgrade cmd='"%SOFTWARE%\system\setacl.exe" -on "%PROGRAMFILES%\Sudowin\Clients\Gui\Sudowin.Clients.Gui.exe" -ot file -actn trustee -trst "n1:%COMPUTERNAME%\Users;ta:remtrst;w:dacl"' />
	<!-- Copy our sudoers.xml to the PC -->
	<upgrade cmd='%comspec% /c xcopy /R /Y "%SOFTWARE%\sudowin\sudoers.xml" "%PROGRAMFILES%\Sudowin\Server\"'/>	
	<!-- Remove the Start Menu entry -->
	<upgrade cmd='%COMSPEC% /c rmdir /q /s "%AllUsersProfile%\Start Menu\Programs\Sudo for Windows"'/>   
	
	<!-- To remove we first stop the service -->
	<remove cmd='%COMSPEC% /c net stop Sudowin' ><exit code="0" /><exit code="2" /></remove>
	<!-- then uninstall using the msi -->
	<remove cmd='msiexec /qn /x "%SOFTWARE%\sudowin\sudowin-bin-0.4.2-r208.msi "' />
	<!-- finally force delete the program directory -->
	<remove cmd='%COMSPEC% /c rmdir /q /s "%PROGRAMFILES%\Sudowin"'/> 
  
</package>

</packages>