PowerShell Core configuration #111
Conversation
|
Somewhere in here |
|
Actually the RFC describe the schema implicitly. |
|
@iSazonov that's not what I meant... I meant that the JSON file should have a publicly available schema. The JSON Schema defines all the object properties, their acceptable types, etc. This schema can then be linked in the More info http://json-schema.org |
|
@SteveL-MSFT Time is over. Could we continue? |
| File -> Application-Wide | $apphome\powershell.config.json | $apphome/powershell.config.json | ||
| File -> User-Wide | %APPDATA%\powershell.config.json | ~/powershell.config.json | ||
| File -> Computer-Wide | %ProgramFiles%\PowerShell\powershell.config.json | /opt/Microsoft/powershell/powershell.config.json | ||
| GPO -> User Config | HKCU\Software\PowerShellCore | See `Comment A` below |
There was a problem hiding this comment.
Regular setting should be deployed via GPP not GPO
There was a problem hiding this comment.
GPP is for setting the user can change.
There was a problem hiding this comment.
We're talking about values in the registry. In this case, the user can change any value if it has permissions (mainly in HKCU). (Of course then this value will be overwritten by GPO or GPP)
I don't see the point of distinguishing between regular settings and policies by name. What is the criterion? We are able to set the value in the registry using GPP in the Policy branch (even in HKLM) and thereby assign the policy.
The only question is who, how and for what set/changes the settings. System administrators or security administrators will most often use GPOs to set mandatory standard values that are less likely to GPP to set recommended values.
This document tries to describe all the ways that can be to provide maximum flexibility and also how to get an effective value based on priority.
There was a problem hiding this comment.
GPP has the ability to not overwrite if the user changes the registry.
There was a problem hiding this comment.
Also, GPO implies that the setting is policy, which this setting is not. It is a preference.
|
Removing |
There was a problem hiding this comment.
One point I would be interested in addressing is that PowerShell will modify a powershell.config.json file at runtime. That works well until there are more than one PowerShell process running, which have no business sharing state.
I feel like it might be worth discussing those config fields which are settable and working out whether they should be system globals or process-specific. Execution policy is one example.
|
|
||
| ## Specification | ||
|
|
||
| `PowerShell Core` is configured using the following schemes: |
There was a problem hiding this comment.
I would use bold for key terms, rather than backticks.
|
@iSazonov Can you update this for how |
iSazonov
force-pushed
the
rfc-powershell-configuration
branch
from
93a3f94
to
a209f4d
Compare
|
@TravisEz13 I added a comment about |
|
|
||
| #### Parameter `-settingsfile` | ||
|
|
||
| With `-settingsfile` parameter users can assign custom settings from the config file and overwrite user-wide and application-wide settings. Only users with elevated rights can overwrite computer-wide and user policy settings. |
There was a problem hiding this comment.
When we are in lockdown mode, even elevated users should not be able to overwrite computer-wide settings
There was a problem hiding this comment.
Only users with elevated rights can overwrite computer-wide and user policy settings.
I do not know how to formulate it right at the same time for Windows (GPO) and for Unix (only files).
In fact, the administrator always has the ability to change any setting.
Maybe remove the sentence at all?
|
I find it a bit inconsistent that this config file is using JSON while other PowerShell config files like module manifests use .psd1. Why choose JSON here? |
| | | ModuleLogging | ModuleNames | String | ||
| | | ProtectedEventLogging | EncryptionCertificate | DWORD | ||
| | | ScriptBlockLogging | EnableScriptBlockInvocationLogging | DWORD | ||
| | | ScriptBlockLogging | EnableScriptBlockLogging | DWORD |
There was a problem hiding this comment.
Can ScriptBlockLogging\* and ProtectedEventLogging\* also be configured via policy?
There was a problem hiding this comment.
If logging settings refers to security then this make sense.
(Here I meant that all the settings listed can be either policy or regular)
There was a problem hiding this comment.
These setting plus execution policy are Security related.
There was a problem hiding this comment.
ModuleLogging also..
Transcription would not be set system wide, it would need to be per user or it's better to use scriptblock logging. IMHO.
cc @PaulHigin
|
@felixfbecker I think JSON was chosen for the file to be portable outside of PowerShell. JSON has very strong and widespread tooling and if your configuration is broken and you can't start PowerShell, a PSD1 parser will be harder to come by. In the time since PowerShell modules were conceived, JSON has risen to dominance as a widespread, simple, well-supported and relatively safe way to encode this kind of simple structured data. On the convention note, JSON doesn't seem to have an agreed convention and PascalCase allows a lower representational gap between the JSON file and the internal classes/settings it represents. |
|
@TravisEz13 @daxian-dbw What security setting can be in the config that we need to worry about? Or for simplicity, we should consider all settings as security? I suggest the algorithm:
I suggest open the config with options "For Read" and "Share.ReadWrite". Latest allow us avoid a trouble (keeping current settings) if file already locked by another process for write long time. The above algorithm allows us to do it safely because no need to crash. |
|
Another thing that might be worth addressing in this is path handling in the config file. Since JSON is a static asset, writing a redistributable config file that works on all platforms is not possible if all paths are taken as literal. Should PowerShell do any kind of handling for paths here? And what about environment or automatic variables? I can imagine a desire for something like: {
"PSModulePath": "${env:windir}\\System32\\WindowsPowerShell\\v1.0\\Modules"
}I can also imagine wanting to write something like: {
"PSModulePath": "$HOME/PowerShell/Modules<sep>$PSHOME/Modules"
}and have it work on Windows, Linux and macOS with Finally, another question is, should we handle relative paths at all? Possibly as relative to the config file itself? |
|
@iSazonov Secure by default is difficult to achieve. We would have to generate a unique encryption key and setup protected event logging. We would need to store that configuration somewhere. What happens if we cannot store that? How do we know if we have already setup a default? Using a hardcoded default would be insecure. How do we secure the key we generate? |
@TravisEz13 Under "secure by default" I meant that we hardcode the secure defaults internally in code.
@rjmholt We can process literal paths in PowerShell (LiteralPath parameter). I don't see problems. |
By "literal" I mean, interpreting the path verbatim as .NET would, rather then resolving it in PowerShell. As far as I know, we currently just pass the paths straight to .NET APIs, but to get a cross-platform config we'd want to do And thinking on it more, it might be worth having a short whitelist of variables like |
Currently .Net Core does the normalization on Windows. Sample https://source.dot.net/#System.Private.CoreLib/shared/System/IO/Path.Windows.cs,220 |
Absolutely, but in PowerShellEditorServices I've seen bugs where a |
|
Hey @iSazonov, we would love to take a hard look at an updated version of this. Would you mind giving it a read to make sure it makes sense with what's happened in the last year, as well as to fix the broken table you have near the beginning? Thanks! |
|
@joeyaiello Table was fixed. I added new section about defaults. I set out my vision. Your team can make changes to speed up the work if necessary. |
|
@iSazonov is any of this one still relevant now that RFC0041 has been merged? If so, can you scope it to those changes? If not, can you close this PR? Sorry, I know we've dragged our feet on this one, but I'm fairly certain a lot of this thinking served as the basis for RFC0041. Thanks for going through this exercise to help guide that one. |
|
@joeyaiello Please look this https://github.com/PowerShell/PowerShell-RFC/blob/master/4-Experimental-Accepted/RFC0041-Policy.md#acknowledgement |
|
I'm not sure the underlying motivation of the PR matters so much as the implementation as it exists. Is there an aspect of this RFC that you'd still like to offer forward that wasn't in RFC0041? |
|
@joeyaiello After reviewing RFC0041 and the PR I find 2 gaps:
|
No description provided.