[Bug 2130433] Re: sudo-rs breaks SSSD centralized sudo rules

Tue Nov 11 14:52:13 UTC 2025

Hi Adam! Thanks for the bug report. I don't think sudo-rs currently has
support for sudoers plugins at the moment, as they are loaded using
/etc/sudo.conf (which is not evaluated by sudo-rs). This, as you pointed
out, is likely why the sudoers rules do not get loaded from SSSD.

Upstream currently explicitly does not support other sudoers plugins
such as sudoers.ldap, but I would delegate this discussion to upstream
as a feature request for libsss-sudo support in particular, or sudoers
plugin support in general.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rust-sudo-rs in Ubuntu.
https://bugs.launchpad.net/bugs/2130433

Title:
  sudo-rs breaks SSSD centralized sudo rules

Status in rust-sudo-rs package in Ubuntu:
  Confirmed

Bug description:
  I have a home-lab setup with a FreeIPA server providing user info,
  login, and sudoers rules. This worked well under legacy sudo (now
  sudo.ws). On the client side (Ubuntu), it uses SSSD to make requests
  to the FreeIPA server. PAM, NSS, and autofs still works.

  However, this does not work with sudo-rs. It loads user info, but not
  sudoers rules, from SSS. Looking at the source, it seems that sudo-rs
  *only* looks at the sudoers files. Previously, I believe sudo had a
  pluggable architecture that loaded libsss-sudo.

  I know this is not in-keeping with sudo-rs's philosophy, but it seems
  like this would be a dealbreaker for most enterprise users with
  centralized sudo management.

  It seems to me that either:
  * sudo-rs should be able to get info from other sources, e.g., sssd, *or*
  * sssd should write sudoers info to the file system for sudo-rs to read

  Possibly sudo-rs should be listed as Breaks: libsss-sudo package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2130433/+subscriptions