Feature Request: sudoers (run as someone who's password I don't know)

[keremers]

Hello,

gsudo asks administrator password when using a privileged operation. But is must be asking the current user password, not the administrator. There's another sudo application that does this but unfortunately, I could not get to run it with my program. ıs it possible to ask just the user password but not the administrator? Because this way I should be giving the admin password to everyone.

[gerardog]

Yes. I desire this feature as well, but is a quite challenging thing to create. I don't have a design for it currently. Too many aspects to consider.

For example: Would it be necessary to pre-configure and store the target user(s) credentials? or should gsudo just hack/create a security token for someone not logged?

[jborean93]

Windows has the ability to create an access token for another user that you don't know the password off. You use LsaLogonUser with the MSV1_0_S4U_LOGON as the AuthenticationInformation value. It's not documented on the online MS docs but it's essentially the same as KERB_S4U_LOGON. Some caveats to this approach

• You need to have the SeTcbPrivilege (impersonating SYSTEM to call this func is fine)
• It's a batch logon type not interactive, so some things that grant access for interactive logons won't apply to it
• It cannot delegate to another host, outbound authentication appears as an anonymous user

This is the same concept that task scheduler uses when running as a non-logged in user without the password being saved.

A proof of concept of LsaLogonUser using the PowerShell ctypes module can be found at https://gist.github.com/jborean93/ca63f50ecaa9be5b517df5ad3433d461. With this I can spawn a new process as that user with APIs like CreateProcessAsUser or CreateProcessWithToken

Edit: I forgot to mention but all this can be simplified with the WindowsIdentity string constructor. Unfortunately it only works for domain accounts and not local ones.