[Bug 2130433] [NEW] sudo-rs breaks SSSD centralized sudo rules

Adam Stark 2130433 at bugs.launchpad.net
Fri Oct 31 13:36:58 UTC 2025 

Public bug reported:

I have a home-lab setup with a FreeIPA server providing user info,
login, and sudoers rules. This worked well under legacy sudo (now
sudo.ws). On the client side (Ubuntu), it uses SSSD to make requests to
the FreeIPA server. PAM, NSS, and autofs still works.

However, this does not work with sudo-rs. It loads user info, but not
sudoers rules, from SSS. Looking at the source, it seems that sudo-rs
*only* looks at the sudoers files. Previously, I believe sudo had a
pluggable architecture that loaded libsss-sudo.

I know this is not in-keeping with sudo-rs's philosophy, but it seems
like this would be a dealbreaker for most enterprise users with
centralized sudo management.

It seems to me that either:
* sudo-rs should be able to get info from other sources, e.g., sssd, *or*
* sssd should write sudoers info to the file system for sudo-rs to read

Possibly sudo-rs should be listed as Breaks: libsss-sudo package

** Affects: rust-sudo-rs (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rust-sudo-rs in Ubuntu.
https://bugs.launchpad.net/bugs/2130433

Title:
  sudo-rs breaks SSSD centralized sudo rules

Status in rust-sudo-rs package in Ubuntu:
  New

Bug description:
  I have a home-lab setup with a FreeIPA server providing user info,
  login, and sudoers rules. This worked well under legacy sudo (now
  sudo.ws). On the client side (Ubuntu), it uses SSSD to make requests
  to the FreeIPA server. PAM, NSS, and autofs still works.

  However, this does not work with sudo-rs. It loads user info, but not
  sudoers rules, from SSS. Looking at the source, it seems that sudo-rs
  *only* looks at the sudoers files. Previously, I believe sudo had a
  pluggable architecture that loaded libsss-sudo.

  I know this is not in-keeping with sudo-rs's philosophy, but it seems
  like this would be a dealbreaker for most enterprise users with
  centralized sudo management.

  It seems to me that either:
  * sudo-rs should be able to get info from other sources, e.g., sssd, *or*
  * sssd should write sudoers info to the file system for sudo-rs to read

  Possibly sudo-rs should be listed as Breaks: libsss-sudo package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2130433/+subscriptions

More information about the foundations-bugs mailing list