[Bug 2113928] Re: [MIR] rust-sudo-rs
Didier Roche-Tolomelli
2113928 at bugs.launchpad.net
Tue Jul 8 10:26:51 UTC 2025
Review for Source Package: rust-sudo-rs
[Summary]
MIR team ACK under the constraint to answer and potentially work on the below listed recommended TODOs.
This does need a security review, so I'll assign ubuntu-security.
List of specific binary packages to be promoted to main: sudo-rs.
I see that removing the -dev package in in progress on https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2115785.
Notes:
I reviewed 0.2.5-5ubuntu2, which is still in proposed at the moment of this writing. This is the version which adds some vendoring instructions and enhancements.
Recommended TODOs:
1. The current release is not packaged. I agree that 0.2.7 was only released last week, but we didn’t get 0.2.6 either which was released at early in May. I suggest that we update to the new version which have quite some changes and new features as this is a high profile update for questing.
2. There are quite some Rust warning during the build about unused functions and so on. I suggest that we work with upstream to limit those warnings and get a clean build output.
3. Can we work with upstream so that end-user facing strings are marked for and support translation?
[Rationale, Duplication and Ownership]
The foundation team is committed to own long term maintenance of this package.
The rationale given in the report seems valid and useful for Ubuntu
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- rust-sudo-rs checked with `check-mir`
- all dependencies can be found in `seeded-in-ubuntu` (already in main)
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
[Embedded sources and static linking]
OK:
- Rust package that has all dependencies vendored. It does neither
have *Built-Using (after build). Nor does the build log indicate
built-in sources that are missed to be reported as Built-Using.
- rust package using dh_cargo (dh ... --buildsystem cargo)
- Includes vendored code, the package has documented how to refresh this code at debian/README.source
[Security]
OK:
- history of CVEs does not look concerning (were quickly fixed on this young project)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
signing, ...)
- this makes appropriate (for its exposure) use of established risk
mitigation features (dropping permissions, using temporary environments,
restricted users/groups, seccomp, systemd isolation features,
apparmor, ...)
Problems:
- does deal with system authentication (pam) and use setuid bits. We need a security review due to this.
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
control
- symbols tracking not applicable for this kind of code.
- debian/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems:
- the current release is NOT packaged (0.2.7, we are at 0.2.5)
[Upstream red flags]
OK:
- no Errors during the build
- no incautious use of malloc/sprintf (as far as we can check it). It’s rust!
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of user 'nobody' outside of tests
- use of setuid, but ok because it’s the expected feature of this tool
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
Problems:
- There are quite some Rust warning during the build about unused functions and so on. I suggest that we work with upstream to limit those warnings and get a clean build output.
- no translation present.
** Changed in: rust-sudo-rs (Ubuntu)
Assignee: Didier Roche-Tolomelli (didrocks) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rust-sudo-rs in Ubuntu.
https://bugs.launchpad.net/bugs/2113928
Title:
[MIR] rust-sudo-rs
Status in rust-sudo-rs package in Ubuntu:
New
Bug description:
[Availability]
The package rust-sudo-rs is already in Ubuntu universe.
The package rust-sudo-rs build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/rust-sudo-rs
[Rationale]
The package rust-sudo-rs is required in Ubuntu main as a memory-safe alternative to sudo.
The package rust-sudo-rs will generally be useful for a large part of our user base.
rust-sudo-rs covers the most common sudo cases of sudo, not everything.
sudo and sudo-rs, both will be supported in the next LTS.
sudo-rs is recommended by sudo which we already support.
There is no other/better way to solve this that is already in main or should go universe->main instead of this.
All binary packages built by rust-sudo-rs need to be in main to be a suitable sudo replacement.
The package rust-sudo-rs is required in Ubuntu main no later than August 14, 2025 (QQ Feature Freeze) to meet the publicly commited timeline.
Earlier is better to get sufficient testing.
[Security]
- Had 3 security issues in the past (CVE-2023-42456, CVE-2025-46717, CVE-2025-46718)
The issues were fixed quickly by the upstream.
Last two are Low severity in the CWE-497 category.
Upstream also maintains security advisories here
https://github.com/trifectatechfoundation/sudo-rs/security/advisories
https://www.openwall.com/lists/oss-security/2023/11/02/1
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo-rs
https://security-tracker.debian.org/tracker/source-package/rust-sudo-rs
https://ubuntu.com/security/cves?package=rust-sudo-rs is 500: Server error for some reason.
https://ubuntu.com/security/cves?package=sudo lists rust-sudo-rs bugs as well.
- /usr/lib/cargo/bin/sudo has suid bit set. It is required by design.
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-sudo-rs
- Upstream's bug tracker https://github.com/trifectatechfoundation/sudo-rs/issues
- The package has important open bugs, listing them:
- https://github.com/trifectatechfoundation/sudo-rs/milestone/13 is required for 25.10 release
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log TBD
[MP in review for build time tests https://code.launchpad.net/~ravi-sharma/ubuntu/+source/rust-sudo-rs/+git/rust-sudo-rs/+merge/487231]
- The package runs an autopkgtest, and is currently passing on amd64, arm64, armhf, ppc64el, 390x
link to test logs https://autopkgtest.ubuntu.com/packages/rust-sudo-rs
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1/+build/30931402/+files/buildlog_ubuntu-questing-amd64.rust-sudo-rs_0.2.5-5ubuntu1_BUILDING.txt.gz
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to debian/rules:
https://git.launchpad.net/ubuntu/+source/rust-sudo-
rs/tree/debian/rules
[UI standards]
- Application is end-user facing, Translation is NOT present.
I did not find much trace of user interaction beside the following.
$ grep -r -A 1 -e user_info! -e user_warn! -e user_error! src/
src/sudo/pam.rs: user_warn!("Authentication failed, try again.");
src/sudo/pam.rs- }
--
src/su/context.rs: user_warn!(
src/su/context.rs- "using restricted shell {}",
--
src/su/mod.rs: user_warn!("Authentication failed, try again.");
src/su/mod.rs- }
--
src/exec/mod.rs: user_error!("unable to change directory to {}: {}", path.display(), err);
src/exec/mod.rs- if is_chdir {
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Rust dependencies are vendored per Rust MIR policy]
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team will be https://launchpad.net/~foundations-bugs and I have their acknowledgement for
that commitment
- The future owning team is already subscribed to the package
- The team foundations-bugs is aware of the implications by a static build and
commits to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM)
- The team foundations-bugs is aware of the implications of vendored code and (as
alerted by the security team) commits to provide updates and backports
to the security team for any affected vendored code for the lifetime
of the release (including ESM).
- This package uses vendored rust code tracked in Cargo.lock as shipped,
in the source package
refreshing that code is outlined in debian/README.source
- This package uses vendored code, refreshing that code is outlined
in debian/README.source
- This package is rust based and vendors all non language-runtime
dependencies
[MP in review, this should be done before the final Ack https://code.launchpad.net/~ravi-sharma/ubuntu/+source/rust-sudo-rs/+git/rust-sudo-rs/+merge/487231]
- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1
[Background information]
Upstream Name is sudo-rs
Link to upstream project https://github.com/trifectatechfoundation/sudo-rs
https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-ubuntu/56995/7
https://discourse.ubuntu.com/t/adopting-sudo-rs-by-default-in-ubuntu-25-10/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2113928/+subscriptions
More information about the foundations-bugs
mailing list