frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Open in hackernews

Memory-safe sudo to become the default in Ubuntu

https://trifectatech.org/blog/memory-safe-sudo-to-become-the-default-in-ubuntu/
61•jnsgruk•3h ago

Comments

Rotundo•2h ago
Did sudo have memory problems? Did it ever fail because it didn't handle its memory correctly?
stop50•2h ago
Sudo had quite a few problems with security, partially because of this doas was developed for BSD. Some problems come from the huge amount of features(ldap, easter eggs, ...). sudo-rs reduces the problems by not implementing those features.
XorNot•1h ago
Removing LDAP is a huge problem for the more important sudo deployments though: centralized management of permissions is kind of a vital function.
Filligree•1h ago
Those people can keep using sudo; it’s not going away. The rest of us get better security.
fluidcruft•51m ago
Is it actually removing ldap or is it offloading to pam?
JoshTriplett•32m ago
Debian is currently in the process of dropping the direct LDAP support in sudo, in favor of sssd. From sudo's NEWS.Debian.gz:

> In practice, there are few installations that use sudo-ldap. Most installations that use LDAP as a directory service and sudo have now opted for sssd, sssd-ldap and libsss-sudo.

> The Debian sudo team recommends the use of libsss-sudo for new installations and the migration of existing installations from sudo-ldap to libsss-sudo and sssd.

dec0dedab0de•20m ago
Could you clarify what you mean by more important sudo deployments?
ch_123•52m ago
> Some problems come from the huge amount of features(ldap, easter eggs, ...). sudo-rs reduces the problems by not implementing those features.

This makes me wonder:

1) Would a hypothetical "sudo-lite" with these features removed lead to better security without a rewrite?

2) If these features are useful in the real world, will a Rust rewrite of sudo inevitably gain these features over time and end up with similar problems?

throw0101a•46m ago
> 1) Would a hypothetical "sudo-lite" with these features removed lead to better security without a rewrite?

OpenBSD did this with their doas utility:

* https://en.wikipedia.org/wiki/Doas

Dylan16807•29m ago
"without a rewrite" means cutting down the existing code. A completely different program goes into the same category as "rewrite".
mid-kid•2h ago
There's been cases[1], of particular note, the unescape overflow one[2]. This one scathed the reputation of sudo enough to get people pushing for alternatives such as doas. The track record of vulnerabilities in general leaves a bit to be desired, even outside of memory vulns.

[1]: https://www.sudo.ws/security/advisories/

[2]: https://www.sudo.ws/security/advisories/unescape_overflow/

Maxatar•13m ago
Yes it has:

https://nvd.nist.gov/vuln/detail/cve-2021-3156

ndegruchy•1h ago
Seems like the trifecta group is /just/ about migrating tools to rust? Am I understanding that right?

I don't have a problem with it, specifically. Seems odd that they don't advertise it, though.

fossuser•49m ago
The religious element of rust programmers seems more extreme than other languages. There’s always a little bit of that sort of thing, but rust programmers seem to have mixed theirs with politics too.

It makes me wonder how much is motivated by stuff other than what’s actually the best outcome.

Ygg2•37m ago
> The religious element of rust programmers

Yeah. I too, hate the Rust Evangelically Orthodox Later Day Christians.

Oh, wait... You're serious. What is religious about rewriting tools in Rust? Isn't that what most programmers do for fun and learning?

Is it any more religious than worshiping Alan Kay or Dijkstra?

> It makes me wonder how much is motivated by stuff other than what’s actually the best outcome.

Looks in the thread... Sees https://www.sudo.ws/security/advisories/

Are you sure the status quo is the better outcome?

ziddoap•6m ago
>What is religious about rewriting tools in Rust?

"Religious" isn't being used to refer to people rewriting tools in Rust.

It's used to refer to people zealously commenting on message boards that every single tool ever built should be rewritten in Rust, and if you aren't rewriting your tool in Rust, you're an idiot.

VWWHFSfQ•31m ago
Memory safety is strictly a good thing, regardless of motivations.

But I'm aware that some people are frightened of new languages and paradigms especially if they're 'harder' than what they're used to.

mid-kid•31m ago
We've accepted it at this point, but I wonder if the religious element of GNU tools and free software in general was as contentious way back when.
Analemma_•26m ago
A little while ago I realized with a start that it's been years since I've heard anyone angrily insist on calling it "GNU/Linux", when that was constant background noise during the Slashdot era. One of those old fights that just faded away, I guess.
mid-kid•23m ago
That's true. I find myself still saying GNU/Linux where it's relevant (e.g. when referring to the userland, or a compatible userland) but it's not as contentious as it used to be, which is a nice breath.
i80and•18m ago
Oh yeah, I got to meet Stallman at a book signing when I was like 17, and like an idiot happened to wear a "Linux" shirt.

I genuinely hadn't thought of this point of contention beforehand, but oof he did not care for that.

mrpippy•12m ago
Did you tell him you were a fan of just the kernel, not the userland?
hedora•7m ago
I got him to imply I was being cheap!
rs186•22m ago
> The religious element

It is only "religious" if you think it in such a way.

I'd say the amount of skepticism (rather than valid criticism) has been no less than enthusiam in the community.

As the saying goes, there are two kinds of languages...

dismalaf•21m ago
Not like GNU is any less religious...

I think they just want to ditch GNU tools and lots of young, low level programmers want to use Rust (same rationale for Linus accepting Rust code into the kernel).

john-h-k•49m ago
The other big thing iirc is they’re all MIT licensed rather than GPL(et variants) licensed
ndiddy•18m ago
Sudo is permissively licensed. https://www.sudo.ws/about/license/
kokada•50m ago
I am not sure if memory-safety is the biggest issue in sudo design. I find the fact that it is a setuid binary a much bigger issue because a bug can possible result in privilege escalation.

I found an alternative implementation that doesn't rely in being a setuid binary like systemd-run0 much more interesting from a security perspective, but I am no security expert.

Retr0id•43m ago
A bug in a daemon-based sudo alternative would surely also result in privilege escalation?

I think the main benefit of eliminating setuid binaries is that you can forbid them system-wide (e.g. via mount flags), as a hardening measure.

JoshTriplett•34m ago
There's value in always starting processes from a known-secure environment rather than attempting to transform a user's arbitrary environment into a secure one.
Retr0id•31m ago
True, CVE-2021-4034 comes to mind as a recent example (exploiting zero-length argv)
hedora•10m ago
How is that any different than a daemon that has a parser error in its message handler, except that the daemon could be misconfigured to listen on a network socket?

The original unix process abstraction was extremely simple; the entire spec is a few pages.

The problem is that Linux keeps adding more and more levels of Rube Goldberg machine to its security model, so now literally no one understands how a default minimal install of, say, Ubuntu works.

Adding a magic daemon that runs stuff as root to this pile of complexity probably won’t help. Ripping out almost all the cruft that’s accumulated over the years, and adding back something sane (maybe BSD jails) would work a lot better.

MajesticHobo2•43m ago
Right, but now the vector for privilege escalation will have to be a logic bug in memory-safe sudo instead of either a memory corruption (see CVE-2021-3156) or a logic bug. It’s hard not to see this as a major improvement.
charcircuit•27m ago
Being a setuid binary means that sudo also suffers from attacks where an attacker runs `sudo ./malware` and then convinces the user to authenticate. Depending on how sudo authenticates phishing attacks or password reuse from another breach can be used to escalate privileges.
jvanderbot•6m ago
Those will also have to be fixed/considered, but do not detract from the contribution of removing memory safety bugs which may enable exploits.
dev_l1x_be•39m ago
doas is a much simpler (and therefore better) alternative.
JoshTriplett•35m ago
doas is not a compatible drop-in replacement for existing users.
asmodeuslucifer•21m ago
That's good to hear.