"Security reasons" that started popping up after recent changes in scoop installer are rather vague

[AndrewSav]

Recently my OS Build pipelines started failing with:

Running the installer as administrator is disabled by default, use -RunAsAdmin parameter if you know what you are doing.

They have not change for many months, so I'm assuming the reasons are changes in scoop. When you go to https://github.com/ScoopInstaller/Install#for-admin you can read:

Installation under the administrator console has been disabled by default for security reason. If you know what you are doing and want to install Scoop as administrator. Please download the installer and manually execute it with the -RunAsAdmin parameter in an elevated console.

What particular security reasons caused disabling this feature? (The -RunAsAdmin obviously works as described, I just would like to know what are the perceived security risks).

Possibly it makes sense to include answer to this question in the readme.

[rashil2000]

Hi Andrew. Please check the discussion at #4783

[AndrewSav]

@rashil2000 I'm sorry, after having read that discussion I'm still very unclear as to what particular security reasons caused disabling this feature. If I missed the explanation, in that thread, could you please kindly point me to the message that explains that? Thank you in advance.

[rashil2000]

I'm not completely familiar with it. @chawyehsu will be able to explain it better.

[chawyehsu]

What particular security reasons caused disabling this feature?

In fact there is no explicit, known security reasons causes this restriction, Scoop is completely open-sourced and audits should have been done for many times by its users from the community.

I started to work as the main contributor on the standalone installer in 2019, the feature of disabling installation as administrators was introduced as the default behavior at the very early revision of the standalone installer, looking back to the early commits.

Scoop was initially designed to work perfectly without admin rights, and I would call this the killer feature of Scoop that makes Scoop unique, compared to other simliar softwares. Despite this, we know there are users tend to install Scoop as admin for different reasons (indeed, I have seen an user installing Scoop as admin and installing all apps, including the global ones, into the same privileged directory to make it work like apt, not actually work as apt though), which is not the general use case and may not have a better experience. Hence I added the admin check to the new installer when I was building it. The key purpose of it is to set a explicit bar to telling new users, privileged users more accurately, that Scoop can work without privileges. Kind of philosophical significance of Scoop. To be honest I didn't take the case of CI which cannot run as non-admin into account, though -RunAsAdmin works.

Does it matters and are there really security risks? I would say it depends. The community grows a lot with more and more manifests and third-party buckets. By contrast, the maintainer team is small and we might not be able to make sure every incoming commit invulnerable. For instance, honestly speaking, we unexpectedly accepted #4551. It's a serious mistake from my perspective. And as least running Scoop as restricted users will be definitely safer in such situation.

I don't know if what I wrote above answer your question. While I didn't intend to talk about this, I have to clarify it since I am the main contributor of the new installer.