Ubuntu
rust-sudo-rs package

[MIR] rust-sudo-rs

Bug #2113928 reported by Ravi Kant Sharma
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rust-sudo-rs (Ubuntu)
Fix Released
High
Unassigned
Ubuntu ubuntu-25.10-feature-freeze

Bug Description

[Availability]
The package rust-sudo-rs is already in Ubuntu universe.
The package rust-sudo-rs build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/rust-sudo-rs

[Rationale]
The package rust-sudo-rs is required in Ubuntu main as a memory-safe alternative to sudo.
The package rust-sudo-rs will generally be useful for a large part of our user base.
rust-sudo-rs covers the most common sudo cases of sudo, not everything.
sudo and sudo-rs, both will be supported in the next LTS.
sudo-rs is recommended by sudo which we already support.
There is no other/better way to solve this that is already in main or should go universe->main instead of this.
All binary packages built by rust-sudo-rs need to be in main to be a suitable sudo replacement.
The package rust-sudo-rs is required in Ubuntu main no later than August 14, 2025 (QQ Feature Freeze) to meet the publicly commited timeline.
Earlier is better to get sufficient testing.

[Security]
- Had 3 security issues in the past (CVE-2023-42456, CVE-2025-46717, CVE-2025-46718)

The issues were fixed quickly by the upstream.

Last two are Low severity in the CWE-497 category.

Upstream also maintains security advisories here https://github.com/trifectatechfoundation/sudo-rs/security/advisories

https://www.openwall.com/lists/oss-security/2023/11/02/1
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo-rs
https://security-tracker.debian.org/tracker/source-package/rust-sudo-rs
https://ubuntu.com/security/cves?package=rust-sudo-rs is 500: Server error for some reason.
https://ubuntu.com/security/cves?package=sudo lists rust-sudo-rs bugs as well.

- /usr/lib/cargo/bin/sudo has suid bit set. It is required by design.
- Package does not install services, timers or recurring jobs

- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
  (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
  not have too many, long-term & critical, open bugs
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-sudo-rs
  - Upstream's bug tracker https://github.com/trifectatechfoundation/sudo-rs/issues
- The package has important open bugs, listing them:
  - https://github.com/trifectatechfoundation/sudo-rs/milestone/13 is required for 25.10 release
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
  it makes the build fail, link to build log TBD
  [MP in review for build time tests https://code.launchpad.net/~ravi-sharma/ubuntu/+source/rust-sudo-rs/+git/rust-sudo-rs/+merge/487231]

- The package runs an autopkgtest, and is currently passing on amd64, arm64, armhf, ppc64el, 390x
  link to test logs https://autopkgtest.ubuntu.com/packages/rust-sudo-rs

- The package does have not failing autopkgtests right now

[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field

- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1/+build/30931402/+files/buildlog_ubuntu-questing-amd64.rust-sudo-rs_0.2.5-5ubuntu1_BUILDING.txt.gz
- Lintian overrides are not present

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf
  questions higher than medium

- Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/rust-sudo-rs/tree/debian/rules

[UI standards]
- Application is end-user facing, Translation is NOT present.

I did not find much trace of user interaction beside the following.

$ grep -r -A 1 -e user_info! -e user_warn! -e user_error! src/
src/sudo/pam.rs: user_warn!("Authentication failed, try again.");
src/sudo/pam.rs- }
--
src/su/context.rs: user_warn!(
src/su/context.rs- "using restricted shell {}",
--
src/su/mod.rs: user_warn!("Authentication failed, try again.");
src/su/mod.rs- }
--
src/exec/mod.rs: user_error!("unable to change directory to {}: {}", path.display(), err);
src/exec/mod.rs- if is_chdir {

[Dependencies]
- No further depends or recommends dependencies that are not yet in main
  [Rust dependencies are vendored per Rust MIR policy]

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- The owning team will be https://launchpad.net/~foundations-bugs and I have their acknowledgement for
  that commitment
- The future owning team is already subscribed to the package

- The team foundations-bugs is aware of the implications by a static build and
  commits to test no-change-rebuilds and to fix any issues found for the
  lifetime of the release (including ESM)

- The team foundations-bugs is aware of the implications of vendored code and (as
  alerted by the security team) commits to provide updates and backports
  to the security team for any affected vendored code for the lifetime
  of the release (including ESM).

- This package uses vendored rust code tracked in Cargo.lock as shipped,
  in the source package
  refreshing that code is outlined in debian/README.source
- This package uses vendored code, refreshing that code is outlined
  in debian/README.source

- This package is rust based and vendors all non language-runtime
  dependencies
  [MP in review, this should be done before the final Ack https://code.launchpad.net/~ravi-sharma/ubuntu/+source/rust-sudo-rs/+git/rust-sudo-rs/+merge/487231]

- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-sudo-rs/0.2.5-5ubuntu1

[Background information]
Upstream Name is sudo-rs
Link to upstream project https://github.com/trifectatechfoundation/sudo-rs
https://discourse.ubuntu.com/t/carefully-but-purposefully-oxidising-ubuntu/56995/7
https://discourse.ubuntu.com/t/adopting-sudo-rs-by-default-in-ubuntu-25-10/

See original description
Ravi Kant Sharma (ravi-sharma)
summary: - MIR rust-sudo-rs
+ [MIR] rust-sudo-rs
Jeremy Bícha (jbicha)
tags: added: questing update-excuse
Changed in rust-sudo-rs (Ubuntu):
status: New → Incomplete
Ravi Kant Sharma (ravi-sharma)
Changed in rust-sudo-rs (Ubuntu):
milestone: none → ubuntu-25.10-feature-freeze
assignee: nobody → Ravi Kant Sharma (ravi-sharma)
Ravi Kant Sharma (ravi-sharma)
Changed in rust-sudo-rs (Ubuntu):
assignee: Ravi Kant Sharma (ravi-sharma) → nobody
Revision history for this message
Matthias Klose (doko) wrote :

this at least requires

 - vendoring of the package
 - building on i386

Revision history for this message
Ravi Kant Sharma (ravi-sharma) wrote :

$ lintian --pedantic
W: sudo-rs: unknown-field Static-Built-Using

Ravi Kant Sharma (ravi-sharma)
description: updated
description: updated
Ravi Kant Sharma (ravi-sharma)
Changed in rust-sudo-rs (Ubuntu):
status: Incomplete → New
description: updated
Christian Ehrhardt (paelzer)
Changed in rust-sudo-rs (Ubuntu):
assignee: nobody → Didier Roche-Tolomelli (didrocks)
Seth Arnold (seth-arnold)
tags: added: sec-6925
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :
Download full text (4.6 KiB)

Review for Source Package: rust-sudo-rs

[Summary]
MIR team ACK under the constraint to answer and potentially work on the below listed recommended TODOs.
This does need a security review, so I'll assign ubuntu-security.

List of specific binary packages to be promoted to main: sudo-rs.
I see that removing the -dev package in in progress on https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2115785.

Notes:
I reviewed 0.2.5-5ubuntu2, which is still in proposed at the moment of this writing. This is the version which adds some vendoring instructions and enhancements.

Recommended TODOs:
1. The current release is not packaged. I agree that 0.2.7 was only released last week, but we didn’t get 0.2.6 either which was released at early in May. I suggest that we update to the new version which have quite some changes and new features as this is a high profile update for questing.
2. There are quite some Rust warning during the build about unused functions and so on. I suggest that we work with upstream to limit those warnings and get a clean build output.
3. Can we work with upstream so that end-user facing strings are marked for and support translation?

[Rationale, Duplication and Ownership]
The foundation team is committed to own long term maintenance of this package.
The rationale given in the report seems valid and useful for Ubuntu

[Dependencies]
OK:
- no other Dependencies to MIR due to this
 - rust-sudo-rs checked with `check-mir`
 - all dependencies can be found in `seeded-in-ubuntu` (already in main)
 - none of the (potentially auto-generated) dependencies (Depends
   and Recommends) that are present after build are not in main
 - no -dev/-debug/-doc packages that need exclusion
 - No dependencies in main that are only superficially tested requiring
  more tests now.

[Embedded sources and static linking]
OK:
- Rust package that has all dependencies vendored. It does neither
  have *Built-Using (after build). Nor does the build log indicate
  built-in sources that are missed to be reported as Built-Using.
- rust package using dh_cargo (dh ... --buildsystem cargo)
- Includes vendored code, the package has documented how to refresh this code at debian/README.source

[Security]
OK:
- history of CVEs does not look concerning (were quickly fixed on this young project)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
  signing, ...)
- this makes appropriate (for its exposure) use of established risk
  mitigation features (dropping permissions, using temporary environments,
  restricted users/groups, seccomp, systemd isolation features,
  apparmor, ...)

Problems:
- does deal with system authentication (pam) and ...

Read more...

Changed in rust-sudo-rs (Ubuntu):
assignee: Didier Roche-Tolomelli (didrocks) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Ravi Kant Sharma (ravi-sharma) wrote (last edit ):

Thank you for the review.

Recommended TODOs:
> 1. The current release is not packaged. I agree that 0.2.7 was only released last week, but we didn’t get 0.2.6 either which was released at early in May. I suggest that we update to the new version which have quite some changes and new features as this is a high profile update for questing.

I am waiting for sudoedit (https://github.com/trifectatechfoundation/sudo-rs/milestone/13) to land upstream before packaging the latest version.

> 2. There are quite some Rust warning during the build about unused functions and so on. I suggest that we work with upstream to limit those warnings and get a clean build output.

Ack. I will raise this with upstream.

> 3. Can we work with upstream so that end-user facing strings are marked for and support translation?

Ack. I will raise this with upstream.

Revision history for this message
Julian Andres Klode (juliank) wrote :

The warnings come from d/p/disable-test-timeout.diff I believe.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rust-sudo-rs - 0.2.5-5ubuntu3

---------------
rust-sudo-rs (0.2.5-5ubuntu3) questing; urgency=medium

  * Remove package librust-sudo-rs-dev (LP: #2115785)
  * Run test suite with default build flags as autopkgtest
  * Use vendored dependencies for autopkgtest

 -- Ravi Kant Sharma <email address hidden> Wed, 02 Jul 2025 10:40:47 +0000

Changed in rust-sudo-rs (Ubuntu):
status: New → Fix Released
Ravi Kant Sharma (ravi-sharma)
Changed in rust-sudo-rs (Ubuntu):
status: Fix Released → In Progress
importance: Undecided → High
Revision history for this message
Federico Quattrin (federicoquattrin) wrote :
Download full text (4.3 KiB)

I reviewed rust-sudo-rs 0.2.5-5ubuntu2 as checked into questing. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

rust-sudo-rs is a re-implementation of sudo and su written in Rust.

- CVE History
  - The package has only 3 CVEs.
  - 1 CVE has been fixed in version 0.2.0
  - 2 CVEs have been fixed in version 0.2.6. Latest version we have is 0.2.5.
    I recommend upgrading in devel to 0.2.6 or 0.2.7 since it also comes with
    an apparmor profile feature.
- Build-Depends
  - debhelper-compat (= 13)
  - dh-sequence-cargo
  - libpam-dev
  - pandoc [!i386]
  - cargo:native
  - rustc:native (>= 1.70)
  - libstd-rust-dev
  - and vendored packages:
    - [email protected]
    - [email protected]
    - [email protected]
    - [email protected]
    - pretty_assertions@1.4.1
    - [email protected]
- pre/post inst/rm scripts
  - ok
- init scripts
  - no flaws found
- systemd units
  - none
- dbus services
  - none
- setuid binaries
  - no flaws found
- binaries in PATH
  - su, sudo, and visudo
- sudo fragments
  - no flaws found
- polkit files
  - none
- udev rules
  - none
- unit tests / autopkgtests
  - it has tests and run at build time.
- cron jobs
  - none
- Build logs
  - no flaws found

- Processes spawned
  - no flaws found
- Memory management
  - no flaws found
- File IO
  - no flaws found
- Logging
  - no flaws found
- Environment variable usage
  - no flaws found
- Use of privileged functions
  - no flaws found
- Use of cryptography / random number sources etc
  - no flaws found
- Use of temp files
  - no flaws found
- Use of networking
  - none
- Use of WebKit
  - none
- Use of PolicyKit
  - none

- Any significant cppcheck results
  - none
- Any significant Coverity results
  - none (coverty does not suppport rust)
- Any significant shellcheck results
  - none
- Any significant bandit results
  - none
- Any significant govulncheck results
  - none
- Any significant Semgrep results
  - none

The latest version we have is 0.2.5. This version does not support NOEXEC
and sudo edit.

Version 0.2.6+ has a cargo feature to enable an AppArmor profile and supports
NOEXEC. We might want to enable that feature for future releases when
building the deb pkg. Version 0.2.6 also fixes two low CVEs.

Upstream maintains a list of relevant CVEs that affected sudo in the past,
and double-check that sudo-rs is not affected when implementing new features.
https://github.com/trifectatechfoundation/sudo-rs/blob/main/docs/sudo-cve.md.
They update the list when they introduce new features.

Upstream recently performed an external code audit:
https://github.com/trifectatechfoundation/sudo-rs/blob/main/docs/audit/audit-report-sudo-rs.pdf

Upstream has a SECURITY.md with proper information on how to contact them if
you need to report a security issue. We reached out to them to discuss
something that caught our attention, and they replied in about 1 hour.
This was a bug related to NOEXEC and sudo --list, which has been addressed
promptly.

The edit flag (-e) has not been implemented.:
e.g.:
$ sudo-rs -e /test
error: `--edit` flag has not yet been implemented

When installing it on Questing, I did not have the smoothest experience:
$ sudo apt install sudo-...

Read more...

Changed in rust-sudo-rs (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Federico Quattrin (federicoquattrin)
Changed in rust-sudo-rs (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Simon Chopin (schopin) wrote :

I took the liberty of also overriding its priority to Important (based on the priority of the old sudo package in Plucky)
❯ change-override --suite questing -S -c main -p important rust-sudo-rs
Override component to main
Override priority to important
rust-sudo-rs 0.2.5-5ubuntu3 in questing: universe/misc -> main
sudo-rs 0.2.5-5ubuntu3 in questing amd64: universe/utils/optional/100% -> main/important
sudo-rs 0.2.5-5ubuntu3 in questing arm64: universe/utils/optional/100% -> main/important
sudo-rs 0.2.5-5ubuntu3 in questing armhf: universe/utils/optional/100% -> main/important
sudo-rs 0.2.5-5ubuntu3 in questing i386: universe/utils/optional/100% -> main/important
sudo-rs 0.2.5-5ubuntu3 in questing ppc64el: universe/utils/optional/100% -> main/important
sudo-rs 0.2.5-5ubuntu3 in questing riscv64: universe/utils/optional/100% -> main/important
sudo-rs 0.2.5-5ubuntu3 in questing s390x: universe/utils/optional/100% -> main/important
Override [y|N]? y
8 publications overridden.

Changed in rust-sudo-rs (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.