Two vulnerabilities in Ubuntu 25.10's new "sudo-rs" command have been found, disclosed, and fixed in short order.

On Monday, Ubuntu [1]security notice USN-7867-1 revealed two security holes in the new Rusty sudo command, whose arrival in version 25.10 The Register [2]described back in May . The sudo is a separate project from the other new Rust component in Questing Quokka, the [3]Rust replacements for the GNU coreutils .

True, security vulnerabilities are a bad thing for a core tool whose purpose is authentication and elevating permissions, but the holes are fairly minor and would be hard to exploit.

[4]

The Reg FOSS desk encountered [5]sudo in the first public beta of Mac OS X, way back in 2000, but the classic C version is a venerable tool. It's so old that precise initial dates are lost to time, but the [6]project's own history says it dates back to 1980. (The project's logo is much younger than the code – it's a reference to a [7]2006 XKCD comic .) Ubuntu has included the sudo command – and discouraged use of the all-powerful root account – since its very first release, 4.10 "Warty Warthog."

[8]

[9]

The [10]new sudo-rs implementation is a total rewrite, and project lead Marc Schoolderman of the [11]Trifecta Tech Foundation delivered a talk about it at last month's Ubuntu Summit, titled " [12]Sudo-rs and beyond ." This vulture attended that talk and spoke to Schoolderman afterwards, so we contacted him. Here's what happened from the horse's mouth:

We've fixed two issues which for convenience I'll call the "password timeout issue" and the "timestamp auth" issue.

1. Password timeout issue ("Low" severity)

Normally, sudo asks for a password with a timeout (default = 5 minutes). The problem was, if you type something in and DON'T hit Enter , whenever the timeout occurred you would see whatever you typed in spat back out at the terminal (except if you had the pwfeedback setting enabled, which most users probably don't).

Essentially, this enables a social attack: coax someone into typing in (a fragment of) their password in sudo and then distract them before they hit Enter … For 5 minutes.

But we did want to take this seriously: typically if someone pulls this off they'll typically have obtained the admin password and users don't expect sudo to have a secret "reveal password" feature.

2. timestamp_auth ("Moderate" severity)

Essentially: sudo is known for "remembering" a prior authentication for a brief while. There is a setting in sudo that allows changing what password it asks for – but sudo-rs would ignore that setting when "remembering" the authentication. That meant that this configuration setting (called targetpw ) was essentially broken.

This had zero impact in default installations, since this configuration setting is not on by default. Also, the users who could abuse this would have to be highly privileged (i.e. explicitly allowed to run commands as other users in the sudo policy).

Given that many people in the Linux world have strong feelings about Rust, both for and against, he also pointed out that neither issue was related to memory safety – and therefore not directly to Rust itself at all.

That said, both bugs do have security implications – even if they're only slim ones – so it's worth discussing them and assigning numbers. Sharing the information – and the fixes, and the reasons for the fixes – helps spread the word. He told us that the team had also backported the security fixes to the version of sudo-rs in Debian "stable," which helps make life for downstream packagers easier.

Since the [13]release of Questing almost exactly a month ago, this is the second time that the bug-hunters' spotlight has focused on the new Rust components. Back on October 23, Julian Andres Klode [14]posted a message to the ubuntu-security-announce mailing list revealing a date-handling bug in the Rust coreutils.

[15]

Canonical's own [16]Bug #2127970 has the details. The date -r $FILENAME command [17]is intended to report the last time a file changed: -r, --reference=FILE

display the last modification time of FILE

The new Rusty date command didn't. It returned the current date instead, which is what happens if you just type the bare date command. Among other things, this broke automatic updates. The background checks couldn't tell if files were older than a given date.

[18]Snap out of it: Canonical on Flatpak friction, Core Desktop, and the future of Ubuntu

[19]Linux vendors are getting into Ubuntu – and Snap

[20]Ubuntu Unity hanging by a thread as wunderkind maintainer gets busy with life

[21]Ubuntu users left waiting after Canonical's servers take weekend off

As [22]discussed on Reddit , this is because the Rust commands silently accept all the same switches as the C versions from the [23]GNU coreutils . As a [24]comment noted , this is quite common behavior in packages that ship replacements for older, more complex tools – such as the [25]Postfix sendmail command , which is a much simpler replacement for the classic sendmail (see the bootnote).

The good news is that the Rust date issue didn't cause serious breakage. A normal check for updates was unaffected: run an update, the fixed date command was installed, and the problem went away. This one is a security issue, and so the still-young sudo-rs project went through the full Coordinated Vulnerability Disclosure process. Schoolderman told us: "Internally, we're pleased with how smoothly this process went, and our interactions with other stakeholders in the open source community."

This kind of thing is important, and it's why interim Ubuntu releases exist – to get new tools out there early, so that people can find the issues that nobody anticipated. Schoolderman concluded:

I think this kind of attention that seeks out and gets bugs fixed is one of the reasons they made bold choices in 25.10 like adopting sudo-rs, Rusty coreutils, but also [26]chrony , Wayland, etc.

Bootnote

The original sendmail program was written by [27]Eric Allman , and it is [28]renowned : "Sendmail has the reputation of having the most hideous configuration file in the history of mankind." During his Unix apprenticeship in the 1980s, this vulture had to learn to write a basic sendmail.cf file. As the [29]Linux Network Administrator's Guide puts it:

You aren't a real Unix system administrator until you've edited a sendmail.cf file. It's also been said that you're crazy if you've attempted to do so twice.

At [30]last year's EuroBSDCon , this vulture met Allman, and got his autograph. ®

Get our [31]Tech Resources



[1] https://ubuntu.com/security/notices/USN-7867-1

[2] https://www.theregister.com/2025/05/08/ubuntu_2510_makes_rusk_sudo_default/

[3] https://www.theregister.com/2025/03/19/ubuntu_2510_rust/

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRYOpqnkjdKtgQOODnRbzAAAAUc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://www.sudo.ws/

[6] https://www.sudo.ws/about/history/

[7] https://xkcd.com/149/

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRYOpqnkjdKtgQOODnRbzAAAAUc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRYOpqnkjdKtgQOODnRbzAAAAUc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[10] https://github.com/trifectatechfoundation/sudo-rs

[11] https://trifectatech.org/

[12] https://discourse.ubuntu.com/t/sudo-rs-and-beyond/67098

[13] https://www.theregister.com/2025/10/14/ubuntu_2510_is_here/

[14] https://lists.ubuntu.com/archives/ubuntu-security-announce/2025-October/009890.html

[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRYOpqnkjdKtgQOODnRbzAAAAUc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[16] https://bugs.launchpad.net/ubuntu/+source/rust-coreutils/+bug/2127970

[17] https://man7.org/linux/man-pages/man1/date.1.html

[18] https://www.theregister.com/2025/11/03/canonical_jon_seager_qa/

[19] https://www.theregister.com/2025/10/31/linux_vendors_getting_into_snap/

[20] https://www.theregister.com/2025/10/29/ubuntu_unity_child_maintainer/

[21] https://www.theregister.com/2025/09/08/canonical_server_outage/

[22] https://www.reddit.com/r/linux/comments/1oetmbo/ubuntu_2510_unattended_upgrades_broken_due_to/

[23] https://www.gnu.org/software/coreutils/

[24] https://www.reddit.com/r/linux/comments/1oetmbo/comment/nl98u2d/

[25] https://www.postfix.org/mailq.1.html

[26] https://documentation.ubuntu.com/server/how-to/networking/serve-ntp-with-chrony/

[27] https://www.internethalloffame.org/inductee/eric-allman/

[28] http://solaris-x86.org/documents/tutorials/sendmail.mhtml

[29] https://www.oreilly.com/library/view/linux-network-administrators/1565924002/ch18.html

[30] https://www.theregister.com/2024/10/01/freebsd_and_samba_funding/

[31] https://whitepapers.theregister.com/