Powershell: Improve the configuration APIs in PSConfiguration.cs

Created on 7 Jan 2018 · 6Comments · Source: PowerShell/PowerShell

The tasks that I can think of are:

maybe replace the singleton with static methods
schema check
synchronize updating the configuration file from multiple processes.
- we currently have a read/write lock to protect updating/reading the config file. The lock doesn't help synchronize writing access from multiple processes.
holding the config file in one process (e.g. write access or none share) will cause a new pwsh instance to crash at startup because it cannot access the config file and we don't deal with the IOException.
- we could return default value when the config file is not accessible, but need to consider to not allow bypassing security settings because of that.
  - one option: have two sets of default values for security settings. One set is used when the config file doesn't exist or the security setting is not defined in the file; the other set is used when the file exists but not accessible, to enforce all security features that are configurable in the config file.

Repro step for 4:

First, run the following code to hold the config file of the current pwsh

$path = "path-to-powershell.config.json"
$mode = "Open"
$access = "Read"
$share = "None"

$file = [System.IO.File]::Open($path, $mode, $access, $share)

Then, start a new instance of the pwsh, and it will crash.

WG-Engine

Source

daxian-dbw

Most helpful comment

@iSazonov @TravisEz13 GPO policy related discussion should happen in a new issue. This issue is for improving the APIs for reading settings from powershell.config.json file. The precedence order of policy related settings is another layer on top of the configuration APIs, not the configuration APIs themselves.

daxian-dbw on 8 Jan 2018

👍2

All 6 comments

We could make public API to enable developers to work consistently with config files.

iSazonov on 7 Jan 2018

It seems currently we read config option step-by-step by demand. I think re-read all config file(s) in one step and cache it is more optimal.

iSazonov on 7 Jan 2018

Suggestions:

use Windows PowerShell GPO by default to not allow users ignore security and Enterprise policies for PowerShell
add new GPO branch for PowerShell Core to allow Enterprises configure Windows PowerShell and PowerShell Core separately.
use GPO policies (Software\Policies\Microsoft\Windows\PowerShell) and GPO config options (Software\Microsoft\Windows\PowerShell)
we want #5804 RegisterGPNotification we should do the same for config files too.

iSazonov on 7 Jan 2018

👍1

Configuration priority:

iSazonov on 7 Jan 2018

GPO Computer Policy for Windows PowerShell is not considered when in PS Core as this policy is for a separate product. If we want to honor policy for Windows PowerShell, we should not introduce a policy for PowerShell Core.

TravisEz13 on 8 Jan 2018

👍1

daxian-dbw on 8 Jan 2018

👍2

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Get-Date -UFormat '' throws an unhelpful exception for an empty string argument

HumanEquivalentUnit · 3Comments

Feature Request: Add conditional colorization to Format-Table command

pcgeek86 · 3Comments

Support for $MaximumFunctionCount and other limits should be removed

lzybkr · 3Comments

Feature Request: Suppress sleep cmdlet

garegin16 · 3Comments

Parameter parsing/passing: unquoted tokens that look like named arguments with colon as the separator are broken in two when passed indirectly via $Args / @Args

mklement0 · 3Comments