PowerShell Core for Linux Administrators Cookbook

上QQ阅读APP看书，第一时间看更新

Listing out the execution policies and setting a suitable one

This is a Windows-only recipe. Skip this if you never plan to work on Windows.

There was a time when running scripts on Windows computers was a cakewalk. Windows computers were highly prone to remote script executions. With PowerShell, Microsoft added a safety belt that allowed the user some control over how PowerShell scripts were loaded. Some specific models of script executions got restricted, which plugged some holes in the system.

It is important to remember that execution policies are not a security feature. There are ways to circumvent this fence. Execution policies are in place only to ensure that users don't accidentally run scripts without awareness.

PowerShell Core on Windows and Windows PowerShell contain this feature. Running PowerShell scripts on Windows is still restricted by default. On PowerShell Core on Linux, execution policies do not work at the moment, and, based on the interactions in the community, it is uncertain whether this feature will ever make it to PowerShell on Linux. Regardless, if you are reading this book, you are more than capable of understanding the perils of scripts from unknown sources.

An execution policy determines what type of scripts can be executed. Here are the six execution policies (excluding Default):

AllSigned
RemoteSigned
Restricted
Unrestricted
Bypass
Undefined

There are three scopes as well:

Process
CurrentUser
LocalMachine

A combination of an execution policy and a scope are what determine the condition that scripts can be loaded under. Microsoft has documented in detail what each of the policies is. In general, AllSigned requires that all of the scripts that run on the computer are signed using a code-signing certificate by a trusted certification authority. If this policy is set, PowerShell will not run unsigned scripts, even if you were the one to create them.

Restricted is the default policy: commands can be run, but not scripts. RemoteSigned allows scripts that have been created on your own computer to run. Scripts that have been downloaded from the internet cannot be run.

Bypass is similar to Unrestricted, however, it is used in specific scenarios, such as when PowerShell forms the basis of a certain application, and the application has its own security implementation.

Unrestricted means that all scripts and commands can run after a simple confirmation. Undefined means that no policy has been defined for a particular scope. Follow the recipe to find the execution policy that is effective on the session, and change it to suit your needs.