[Bug 2113928] Re: [MIR] rust-sudo-rs
Federico Quattrin
2113928 at bugs.launchpad.net
Tue Jul 29 14:07:39 UTC 2025
I reviewed rust-sudo-rs 0.2.5-5ubuntu2 as checked into questing. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
rust-sudo-rs is a re-implementation of sudo and su written in Rust.
- CVE History
- The package has only 3 CVEs.
- 1 CVE has been fixed in version 0.2.0
- 2 CVEs have been fixed in version 0.2.6. Latest version we have is 0.2.5.
I recommend upgrading in devel to 0.2.6 or 0.2.7 since it also comes with
an apparmor profile feature.
- Build-Depends
- debhelper-compat (= 13)
- dh-sequence-cargo
- libpam-dev
- pandoc [!i386]
- cargo:native
- rustc:native (>= 1.70)
- libstd-rust-dev
- and vendored packages:
- diff at 0.1.13
- glob at 0.3.2
- libc at 0.2.171
- log at 0.4.27
- pretty_assertions at 1.4.1
- yansi at 1.0.1
- pre/post inst/rm scripts
- ok
- init scripts
- no flaws found
- systemd units
- none
- dbus services
- none
- setuid binaries
- no flaws found
- binaries in PATH
- su, sudo, and visudo
- sudo fragments
- no flaws found
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- it has tests and run at build time.
- cron jobs
- none
- Build logs
- no flaws found
- Processes spawned
- no flaws found
- Memory management
- no flaws found
- File IO
- no flaws found
- Logging
- no flaws found
- Environment variable usage
- no flaws found
- Use of privileged functions
- no flaws found
- Use of cryptography / random number sources etc
- no flaws found
- Use of temp files
- no flaws found
- Use of networking
- none
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant cppcheck results
- none
- Any significant Coverity results
- none (coverty does not suppport rust)
- Any significant shellcheck results
- none
- Any significant bandit results
- none
- Any significant govulncheck results
- none
- Any significant Semgrep results
- none
The latest version we have is 0.2.5. This version does not support NOEXEC
and sudo edit.
Version 0.2.6+ has a cargo feature to enable an AppArmor profile and supports
NOEXEC. We might want to enable that feature for future releases when
building the deb pkg. Version 0.2.6 also fixes two low CVEs.
Upstream maintains a list of relevant CVEs that affected sudo in the past,
and double-check that sudo-rs is not affected when implementing new features.
https://github.com/trifectatechfoundation/sudo-rs/blob/main/docs/sudo-cve.md.
They update the list when they introduce new features.
Upstream recently performed an external code audit:
https://github.com/trifectatechfoundation/sudo-rs/blob/main/docs/audit/audit-report-sudo-rs.pdf
Upstream has a SECURITY.md with proper information on how to contact them if
you need to report a security issue. We reached out to them to discuss
something that caught our attention, and they replied in about 1 hour.
This was a bug related to NOEXEC and sudo --list, which has been addressed
promptly.
The edit flag (-e) has not been implemented.:
e.g.:
$ sudo-rs -e /test
error: `--edit` flag has not yet been implemented
When installing it on Questing, I did not have the smoothest experience:
$ sudo apt install sudo-rs
Solving dependencies... Error!
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
Unsatisfied dependencies:
sudo-rs : Breaks: sudo (< 1.9.16p2-1ubuntu2~)
Error: Unable to satisfy dependencies. Reached two conflicting decisions:
1. ubuntu-minimal:amd64 is selected for install
2. ubuntu-minimal:amd64 Depends sudo
but none of the choices are installable:
- sudo:amd64=1.9.16p2-1ubuntu1 is not selected for install because:
1. sudo-rs:amd64=0.2.5-5ubuntu1 is selected for install
2. sudo-rs:amd64 Breaks sudo (< 1.9.16p2-1ubuntu2~)
- sudo-ldap:amd64=1.9.16p2-1ubuntu1 is not selected for install because:
1. sudo-rs:amd64=0.2.5-5ubuntu1 is selected for install as above
2. sudo-rs:amd64 Breaks sudo-ldap (< 1.9.16p2-1ubuntu2~)
Security team ACK for promoting rust-sudo-rs to main. We recommend upgrading
to the latest upstream version to fix 2 CVEs and gain the NOEXEC feature, and
the apparmor feature.
** Changed in: rust-sudo-rs (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rust-sudo-rs in Ubuntu.
https://bugs.launchpad.net/bugs/2113928
Title:
[MIR] rust-sudo-rs
Status in rust-sudo-rs package in Ubuntu:
In Progress
Bug description:
[Availability]
The package rust-sudo-rs is already in Ubuntu universe.
The package rust-sudo-rs build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/rust-sudo-rs
[Rationale]
The package rust-sudo-rs is required in Ubuntu main as a memory-safe alternative to sudo.
The package rust-sudo-rs will generally be useful for a large part of our user base.
rust-sudo-rs covers the most common sudo cases of sudo, not everything.
sudo and sudo-rs, both will be supported in the next LTS.
sudo-rs is recommended by sudo which we already support.
There is no other/better way to solve this that is already in main or should go universe->main instead of this.
All binary packages built by rust-sudo-rs need to be in main to be a suitable sudo replacement.
The package rust-sudo-rs is required in Ubuntu main no later than August 14, 2025 (QQ Feature Freeze) to meet the publicly commited timeline.
Earlier is better to get sufficient testing.
[Security]
- Had 3 security issues in the past (CVE-2023-42456, CVE-2025-46717, CVE-2025-46718)
The issues were fixed quickly by the upstream.
Last two are Low severity in the CWE-497 category.
Upstream also maintains security advisories here
https://github.com/trifectatechfoundation/sudo-rs/security/advisories
https://www.openwall.com/lists/oss-security/2023/11/02/1
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo-rs
https://security-tracker.debian.org/tracker/source-package/rust-sudo-rs
https://ubuntu.com/security/cves?package=rust-sudo-rs is 500: Server error for some reason.
https://ubuntu.com/security/cves?package=sudo lists rust-sudo-rs bugs as well.
- /usr/lib/cargo/bin/sudo has suid bit set. It is required by design.
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-sudo-rs
- Upstream's bug tracker https://github.com/trifectatechfoundation/sudo-rs/issues
- The package has important open bugs, listing them:
- https://github.com/trifectatechfoundation/sudo-rs/milestone/13 is required for 25.10 release
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log TBD
[MP in review for build time tests https://code.launchpad.net/~ravi-sharma/ubuntu/+source/rust-sudo-rs/+git/rust-sudo-rs/+merge/487231]
- The package runs an autopkgtest, and is currently passing on amd64, arm64, armhf, ppc64el, 390x
link to test logs https://autopkgtest.ubuntu.com/packages/rust-sudo-rs
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1/+build/30931402/+files/buildlog_ubuntu-questing-amd64.rust-sudo-rs_0.2.5-5ubuntu1_BUILDING.txt.gz
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to debian/rules:
https://git.launchpad.net/ubuntu/+source/rust-sudo-
rs/tree/debian/rules
[UI standards]
- Application is end-user facing, Translation is NOT present.
I did not find much trace of user interaction beside the following.
$ grep -r -A 1 -e user_info! -e user_warn! -e user_error! src/
src/sudo/pam.rs: user_warn!("Authentication failed, try again.");
src/sudo/pam.rs- }
--
src/su/context.rs: user_warn!(
src/su/context.rs- "using restricted shell {}",
--
src/su/mod.rs: user_warn!("Authentication failed, try again.");
src/su/mod.rs- }
--
src/exec/mod.rs: user_error!("unable to change directory to {}: {}", path.display(), err);
src/exec/mod.rs- if is_chdir {
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Rust dependencies are vendored per Rust MIR policy]
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team will be https://launchpad.net/~foundations-bugs and I have their acknowledgement for
that commitment
- The future owning team is already subscribed to the package
- The team foundations-bugs is aware of the implications by a static build and
commits to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM)
- The team foundations-bugs is aware of the implications of vendored code and (as
alerted by the security team) commits to provide updates and backports
to the security team for any affected vendored code for the lifetime
of the release (including ESM).
- This package uses vendored rust code tracked in Cargo.lock as shipped,
in the source package
refreshing that code is outlined in debian/README.source
- This package uses vendored code, refreshing that code is outlined
in debian/README.source
- This package is rust based and vendors all non language-runtime
dependencies
[MP in review, this should be done before the final Ack https://code.launchpad.net/~ravi-sharma/ubuntu/+source/rust-sudo-rs/+git/rust-sudo-rs/+merge/487231]
- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1
[Background information]
Upstream Name is sudo-rs
Link to upstream project https://github.com/trifectatechfoundation/sudo-rs
https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-ubuntu/56995/7
https://discourse.ubuntu.com/t/adopting-sudo-rs-by-default-in-ubuntu-25-10/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2113928/+subscriptions
More information about the foundations-bugs
mailing list