Two of the most fundamental tools of the modern Unix-like command line, sudo and su, are being rewritten in the modern language Rust as part of a wider effort to get critical but aging infrastructure pieces replaced by memory-safe counterparts.
As detailed at Prossimo, a joint team from Ferrous Systems and Tweede Golf, with support from Amazon Web Services, is reimplementing sudo and su. These utilities allow a user to perform actions with the privileges of another user (typically a higher-level superuser) without having to learn and enter that other user’s password. Given their age and wide usage, the Prossimo team believes it’s time for a rework.
“Sudo was first developed in the 1980s. Over the decades, it has become an essential tool for performing changes while minimizing risk to an operating system,” writes Josh Aas. “But because it’s written in C, sudo has experienced many vulnerabilities related to memory safety issues.”
The sudo command fits the Prossimo projects criteria for reimplementation “squarely.” It’s used on nearly every server and client, it is on a critical boundary, it performs a critical function, and it is written in languages that are not memory-safe, like C and asm. The project’s work plan and milestones are posted, and you can track the work on GitHub.
Sudo was developed in 1980 by Robber Coggeshall and Cliff Spencer at the State University of New York at Buffalo (go Bulls) on a VAX-11/750 running 4.1BSD. Coggeshall further developed sudo at the University of Colorado Boulder; the tool was eventually made public and maintained by Todd C. Miller. The su command was part of Version 1 Unix.
A well-funded effort to reimplement a core aspect of Unix-like systems, even in a well-regarded language like Rust, is all but guaranteed to stir up the community. While it was developed over decades and is implemented in nearly every system, the sudo command is not without flaws. Certain versions of sudo were vulnerable to a root-providing buffer-overflow bug, as reported in 2019. Then again, the majority of sudo vulnerabilities do not appear memory-related (depending on one’s definition); one can certainly code new bugs into software that’s written in a memory-safe language.
The Prossimo group’s milestones page does not explain how wider adoption of a Rust-based sudo and su would be promoted. It’s a good bet that effort could require just as much effort as the rewrite itself.
Listing image by Cavan Images/Getty
