Microsoft is bringing the Linux 'sudo' feature to Windows Server 2025, offering a new way for admins to elevate privileges for console applications.
Superuser do, or sudo, is a Linux console program that allows low-privileged users to execute a command with elevated privileges, usually as root.
This command offers increased security in Linux as servers can be used normally under low-privileged accounts while still allowing users to elevate their privileges as needed when running specific commands.
An example of the sudo command is shown below, where we run 'whoami' as a low-privileged user and then run it using sudo.
Notice that the whoami command shows that I am running it as the bleeping user. However, when I execute whoami with sudo, it elevates my privileges to root.
Source: BleepingComputer
Testing sudo in Windows Server 2025
Microsoft released the first Windows Server 2025 Insider preview build last week. However, soon after, a newer version was leaked online.
As first reported by Windows Latest (first spotted by @thebookisclosed), the leaked version contains some new in-development features, including new settings for a Windows 'sudo' command.
Source: WindowsLatest
These settings are only available after enabling developer mode, and the sudo command does not currently work from the command line yet, showing it is early in development.
However, the sudo settings provide some clues as to how the command will work, with the ability to run sudo applications 'In a new windows', 'With input disabled', and 'Inline'.
Windows already offers the ability to elevate programs automatically using UAC prompts, causing the programs to run with elevated privileges in their own window.
However, some administrative tools, such as bcdedit and reagentc, require you to be an administrator to run these commands.
In these cases, the sudo command will allow the programs to run based on its Windows settings, such as in a new window, inline in the current window, or possibly in a non-interactive shell using the disabled input setting.
While this feature has not been spotted in Windows 11, it would not be surprising for Microsoft to add sudo to that operating system in the future as well.
It is important to note that Microsoft commonly tests new features in preview builds that do not make it into the production builds.
However, it will be interesting to see how Microsoft integrates this feature into Windows and will be something to keep an eye on.
Update 2/5/24: Updated article with info on it first being spotted by Albacore.
Comments
katharta - 5 months ago
The true convergence.
h_b_s - 5 months ago
Amusing... there's a slow migration away from sudo in Linux land towards 'doas' instead. It's already happened in OpenBSD with discussion in other BSDs. It's not really making it to the Linux distro mainstream defaults just yet, but there's a recognition that sudo as a code base is aging with some notable security problems while doas represents a cleaner alternative.
U_Swimf - 5 months ago
i know a of an unofficial project working on bridging UAC between the different platforms for what feels like 7 or 8 years now. Officially it's unofficial though. I bet Mr. Abrams could name one he's seen in his travels between the Underworld and purgatory (here).
Sloth - 4 months ago
How is this any different to RunAs.exe?
Drags - 4 months ago
depending on implementation it could mean that you're running as "system user / service user" instead of an actual created user