Memory-Safe Sudo To Become the Default In Ubuntu
- Reference: 0177354327
- News link: https://news.slashdot.org/story/25/05/06/213254/memory-safe-sudo-to-become-the-default-in-ubuntu
- Source link:
> Ubuntu 25.10 is [2]set to adopt sudo-rs by default . Sudo-rs is a memory-safe reimplementation of the widely-used sudo utility, written in the Rust programming language. This move is part of a broader effort by Canonical to improve the resilience and maintainability of core system components. [...]
>
> The decision to adopt sudo-rs is in line with Canonical's commitment to [3]Carefully But Purposefully increase the resilience of critical system software, by adopting Rust. Rust is a programming language with strong memory safety guarantees that eliminates many of the vulnerabilities that have historically plagued traditional C-based software. Sudo-rs is part of the Trifecta Tech Foundation's [4]Privilege Boundary initiative , which aims to handle privilege escalation with memory-safe alternatives.
[1] https://slashdot.org/~RoccamOccam
[2] https://trifectatech.org/blog/memory-safe-sudo-to-become-the-default-in-ubuntu/
[3] https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-ubuntu/56995
[4] https://trifectatech.org/initiatives/privilege-boundary/
As long as.... (Score:5, Funny)
...it can still make me a sandwich we're good.
Re: (Score:2)
It's the real sudo's memory unsafety (forgetting how many sandwiches it's made and who for) that allows for this. Don't worry, you can use sudo-rs to run sudo.
Please explain⦠(Score:1)
Could someone explain to a ânon-coderâ(TM) what this means in laymanâ(TM)s terms please. ;)
Re:Please explain⦠(Score:5, Insightful)
Someone re-wrote a piece of code that already worked into their preferred language so that they could trumpet their accomplishment.
Re: (Score:2)
> into their preferred language
And, of course, that preferred language happens to be Rust.
Re: (Score:2)
As long as you pretend the 2000 or so lines of Trust_Me_Bro { ... } unsafe blocks aren't actually there ;)
Re: (Score:2)
Using std::, lol
Re: (Score:2)
root. changing access levels. Avoiding restrictions.
Re: (Score:2)
Slashdot doesn't do UTF-8. Yeah, I know... pathetic.
Welp (Score:3)
This is probably gonna break some of my 20-year-old plus scripts
Re: Welp (Score:2)
I'm thinking it's in addition to sudo; able to change back to sudo as default
Re: (Score:2)
Meh. The big distros have already deprecated sudo in favor of policykit (which has not yet been re-written in rust).
Re: (Score:2)
Sun tried that 25 years ago and even today it is hard to find correct examples of how to create the configuration to make it useful. There were a lot of good things in Trusted Solaris that never got used even in most places that decided they needed the "Trusted" version.
Re: (Score:1)
Yes, [1]it may break things [github.com], although it's drop-in compatible for the subset of sudo functionality it implements. I'm not sure if Ubuntu will migrate everyone by default on upgrade, but they'll almost certainly keep the original sudo as an option for people that need it.
[1] https://github.com/trifectatechfoundation/sudo-rs?tab=readme-ov-file#differences-from-original-sudo
Re: (Score:1)
If your 20 year old scripts rely on sudo, they're already broken. Fix your permissions.
Great, but ... (Score:2)
... how much of the Rust environment will I have to install just to fix this one bad sudo executable?
Avoiding dangers of dependency explosions (Score:1)
This blog post discusses the risk of depending on dozens of unstable packages, not uncommon for programs written in modern languages:
[1] Sudo-rs dependencies: when less is better [memorysafety.org]
> The sudo utility represents a critical privilege boundary, so it should be memory safe. [...] Ruben Nijveld from the Tweede golf team offers his perspective here on one of the greatest challenges we faced when developing software that can be widely adopted: Rust crate dependencies.
> When sudo-rs development started, we added several dependencies using Rust's crates ecosystem to quickly ramp up development. During development we accrued approximately 135 transitive (direct and indirect) dependencies. Once this was identified, we managed to reduce our total dependencies down to three . In this blog, we explain why and how we did this.
The remaining dependencies are the core crates libc, glob, and log.
[1] https://www.memorysafety.org/blog/reducing-dependencies-in-sudo/
Re: (Score:2)
Rust executables are typically built with all rust modules statically linked, so only dependencies on libc and other system libraries remain:
$ ldd `which sudo-rs`
linux-vdso.so.1 (0x000072fbe0db3000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x000072fbe0cb6000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x000072fbe0c88000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x000072fbe0b9f000)
libc.so.6 => /lib/x86_64-
Re: (Score:2)
Nice, but that is not what the OP was asking about.
Re: (Score:1)
The immediate implication of my comment is that no "Rust environment" needs to be installed for the sudo-rs executable to function. I guess you could consider statically linked code an "environment", but at any rate it doesn't pull in a bunch of dependencies from the package system that you would get with e.g. a Java or Node application.
Re: (Score:2)
I got two different answers, both useful.
1) For someone who is unfamiliar with Rust, it appears that it can be statically linked to existing libraries. Good ... but that opens up the question of how secure a sudo.rs executable can be if an attack surface exists in someplace like libc.so (the 'old fashioned' C implementation). If I understood this response incorrectly, then:
2) A project to 'Rustify' any existing executable will be an involved job. Here ( [1]https://www.memorysafety.org/blog/reducing-dependenci [memorysafety.org]
[1] https://www.memorysafety.org/blog/reducing-dependencies-in-sudo/
Is the claim that current sudo is not memory safe? (Score:5, Informative)
I find the title misleading. It suggests that the current sudo is not memory-safe, while in reality it is just not written in a memory-safe language. That attribute means very different things when talking about a language and a program. It honestly seems a bit arrogant from the Rust-fan-block to use that description, as if programs could not be memory safe unless they are written in a language that guarantees memory safety.
Re: (Score:3, Interesting)
[1]It wasn't memory safe in 2021 [mitre.org]. Maybe that was the last latent memory safety problem and no subsequent ones will ever be introduced, but I wouldn't count on it.
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156
Re:Is the claim that current sudo is not memory sa (Score:5, Informative)
To be fair, [1]neither was Rust. [cve.org]
[1] https://www.cve.org/CVERecord?id=CVE-2021-28879
Re: (Score:1)
Yes, "unsafe" code blocks which show up a lot in low level libraries (in this case the standard library) are still subject to memory errors. It's still enormously helpful in practice that most application code (e.g. the ad-hoc string parsing code in the sudo CVE) can be categorically excluded from containing memory errors, leaving a smaller surface area to audit and harden.
Re: (Score:2)
You mean a new surface.
Re: (Score:2)
> it is just not written in a memory-safe language
The current trend is to say that "it is just not written in Rust", which is equivalent (according to the propagandists).
Don't care (Score:2)
I use su like god intended.
Re: (Score:2)
So, sudo su me.
Re: (Score:1)
Me too. I known what I'm doing.
Re: (Score:1)
Or maybe I don't
Re: (Score:2)
> I use su like god intended.
Me too. The thing is, users who are not Linux-savvy tend to use 'sudo' because they were told to. Then they tend to use it all the time, even when it shouldn't be used.
made a better doohickey (Score:2)
That's great, now your doohickey is memory safe. Which sounds like a good idea to me.
But why not just get rid of the doohickey completely, and waste less of your time and cognitive ability on something you don't need in the first place.
Re: (Score:2)
If you're claiming that sudo is unnecessary, you should probably also give some hints about how one could accomplish the tasks people currently use sudo for, without using some variant of sudo.
Before anyone comes bitching about this being MIT (Score:2)
... Please remmeber that GNU is free (as in fredom) to fork sudo-rs, relicense it as GPL and mantain the fork, meanwhile, if one forks GPL code, one is NOT FREE to re-license it.
So, if one is worried about GNU/Linux (or Ubuntu, specifically) being less GNU and less GPL by the minute, then get forking, re-licensing and maintaining.
This in not a ploy to make linux "less free", is just linux evolving into a new codebase, in a more modern and (allegedly) more safe language.
JM2C
YMMV
Rust == memory safe automatically? (Score:2)
What was wrong with the current / usual sudo?
Re: (Score:2)
Memory-Safe Sudo To Become the Default In Ubuntu
should be
> "Memory-Safe" Sudo To Become the Default In Ubuntu
or rather
> Rust Sudo To Become the Default In Ubuntu
Why? (Score:2)
I canâ(TM)t think of a single time I have ever questioned the memory safety of sudo
That's cool! (Score:2)
Although I would like sudo that is formally verified, not simply memory safe. Maybe something worth doing in Ada/SPARK.