grub tools and Windows UAC

grub tools and Windows UAC

[Andrey Borzenkov]

If UAC is enabled, running grub-install (and probably others too - did
not try) will request privilege elevation; but then process is
re-launched in separate window and disappears after it is finished.
This makes even reading help impossible.

May be grub should check for privilege elevation status and refuse to
run if it is not sufficient.

Re: grub tools and Windows UAC

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 778 bytes --]

On 25.12.2013 12:11, Andrey Borzenkov wrote:
> If UAC is enabled, running grub-install (and probably others too - did
> not try) will request privilege elevation; but then process is
> re-launched in separate window and disappears after it is finished.
> This makes even reading help impossible.
I think that the cause of it is get_default_platform which uses
get_efi_variable to check for EFI. Perhaps we should check privileges
and assume BIOS if get_default_platform is run just for the help.
> 
> May be grub should check for privilege elevation status and refuse to
> run if it is not sufficient.
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 291 bytes --]

Re: grub tools and Windows UAC

[Andrey Borzenkov]

[-- Attachment #1: Type: text/plain, Size: 1368 bytes --]

В Ср, 25/12/2013 в 13:16 +0100, Vladimir 'φ-coder/phcoder' Serbinenko
пишет:
> On 25.12.2013 12:11, Andrey Borzenkov wrote:
> > If UAC is enabled, running grub-install (and probably others too - did
> > not try) will request privilege elevation; but then process is
> > re-launched in separate window and disappears after it is finished.
> > This makes even reading help impossible.
> I think that the cause of it is get_default_platform which uses
> get_efi_variable to check for EFI.

Yes, of course.

>                                   Perhaps we should check privileges
> and assume BIOS if get_default_platform is run just for the help.

Better would be to tell the truth - platform unknown.

We will need privilege elevation to perform installation any way. What
we could do is to explicitly warn user about it and later grub-install
will simply exit due to unknown platform.

> > 
> > May be grub should check for privilege elevation status and refuse to
> > run if it is not sufficient.
> > 
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.org
> > https://lists.gnu.org/mailman/listinfo/grub-devel
> > 
> 
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: grub tools and Windows UAC

[Andrey Borzenkov]

[-- Attachment #1: Type: text/plain, Size: 1534 bytes --]

В Ср, 25/12/2013 в 13:16 +0100, Vladimir 'φ-coder/phcoder' Serbinenko
пишет:
> On 25.12.2013 12:11, Andrey Borzenkov wrote:
> > If UAC is enabled, running grub-install (and probably others too - did
> > not try) will request privilege elevation; but then process is
> > re-launched in separate window and disappears after it is finished.
> > This makes even reading help impossible.
> I think that the cause of it is get_default_platform which uses
> get_efi_variable to check for EFI. Perhaps we should check privileges
> and assume BIOS if get_default_platform is run just for the help.
> > 

It turned out to be completely unrelated. In its infinite wisdom Windows
assumes that if program has "install" or "setup" in its name, it
requires privileges elevation. Just try to run grub-bios-setup.exe :)

I did not find how to prevent it. The only suggestion is to create
manifest, but it has somewhat interesting effect - adding manifest with
level="asInvoker" does not stop Windows from attempting elevation but
now blocks attempt. So program immediately terminates with Access
Denied. And it results in nagging window about unsigned application (may
be signed applications would behave differently).

It is possible to set environment variable __compat_layer to
RunAsInvoker, but it must be done *before* starting process and is
outside of grub control.

Unless someone with better Windows experience can offer solution I'm
afraid we have to live with it. Or rename these programs on Windows.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]