What is sudo-rs and what is it for?

sudo-rs is a reimagined sudo in Rust with an emphasis on security and clear defaults. For most users, the behavior of the commands does not change, but administrators should be aware of configuration and compatibility nuances. 

In this article we will look at why the new implementation appeared, what is different about it, and how to painlessly work with it next to classic sudo.

Why switch to sudo-rs

If you look superficially, there are not that many changes. However, there are still reasons to upgrade:

• Memory safety. Rust mechanisms (borrow checker, etc.) minimize typical vulnerabilities.
• Modern code base. It’s easier to maintain and develop than 30-year-old C code.
• Clearer default settings. Outdated, potentially risky options have been removed.
• Influx of new contributors. Young developers are more willing to work with modern, secure languages.

Simply put, old, bloated sudo code makes it difficult to edit and implement features. Rewriting the kernel in a modern, “safe” language is often faster and more promising. And this increases the chances of active development of the project.

What changes between sudo and sudo-rs

For the average user, almost nothing changes. You still type sudo, but the system itself runs sudo-rs. The texts of some warnings and errors may differ, but in general the behavior is as similar as possible.

For administrators and advanced users there are more differences:

• sudo-rs does not have sendmail support, through which classic sudo could send notifications about calls.
• Authentication is always via PAM. This means that the system must be configured for PAM; resource limits, umask, etc. are set in PAM profiles, not in sudoers.
• Wildcards are not supported in argument positions to avoid common sudoers configuration errors.

sudo-rs is not the only alternative

Alternatives to sudo have been around for a long time:

• doas is a minimalistic, simplified replacement for sudo.
• RootAsRole is another implementation of similar functionality in Rust.
• Some people consider uid0 from systemd as an alternative (although this is not exactly the same thing, the task is similar).

There are other options listed on the official sudo website, but not all of them are in active development.

Bottom line

If you just use sudo and haven’t touched sudoers, there’s nothing to worry about. But if you manage servers with fine-tuned rights and your own rules, then we recommend that you take a closer look at the new utility.

CONTENT:

Similar

All news