[IshKebab]

Well yeah you can't enforce any security boundary if your threat model includes "user might be tricked".

It can't be enforced on Linux because `sudo` can be trivially MitM'd, but you can't do that on Windows because it's just a click.

[reissbaker]

But the entire threat model we were discussing was that the user might be tricked:

Being a setuid binary means that sudo also suffers from attacks where an attacker runs `sudo ./malware` and then convinces the user to authenticate

That's why the OP said that's not an enforceable security boundary. If the user is capable of attaining superuser privs, you can trick them, regardless of how attaining those privs is implemented.

[IshKebab]

Yeah I wasn't agreeing with that either.

I didn't interpret OP's comment like that. I think he was saying you can't enforce the boundary at all even if users don't get tricked.

That's true on Linux because the sudo UI can trivially be MitM'd by malware. You can't do that on Windows so trivially.

[shakna]

That was doable, and how it worked, under Windows until a few weeks ago [0].

[0] https://cyberdom.blog/abusing-the-windows-update-stack-to-ga...