My concern is that while re-implementing sudo in rust would solve bugs due to memory safety and off by one errors, it is a complex piece of software where logic errors can create serious security issues.<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22809" rel="nofollow">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2280...</a>
There is also 'doas' from the OpenBSD project. It's a replacement for 'sudo' with fewer features and a smaller codebase, with the aim of a smaller attack surface.<p><a href="https://en.m.wikipedia.org/wiki/Doas" rel="nofollow">https://en.m.wikipedia.org/wiki/Doas</a>
This so-called memory safety is looking like a buzzword engineered to be extremely appealing to a type of mildly technical but mostly illiterate about computer security kind of people.<p>This has been said before, this has been tried before, OOP was also seen as silver bullet at some point, like several others.<p>Computer security is a deeply complex and dirty field, switching programming language won’t help much if programmers are expecting the work to be done for them by the compiler.<p>If you want robust code : hire experts in the field
and pay the price.<p>Rewriting sudo is almost certainly going to be painful and to increase the vulnerabilities potential.
This sounds good, however, I hope they don't try to replicate all of sudo.<p>sudo fails a basic security principle on Unix systems, and that is that suid binaries should be simple. Their developers have a tendency to add all kinds of stuff that barely anyone ever uses, but that bloats its size.
Good plan. Reimplementing in Rust using a carefully planned milestone-based approach should result in feature parity with fewer security vulnerabilities.
This just isn’t necessary. There’s excellent C tooling that identifies memory safety issues.<p>It seems any program that meets the four criteria would
better served by rigorous analysis of the existing code.
Why not just use doas(1) instead?<p><i>doas(1)</i><p>- doas(1) - portable version has about 500 lines of code<p>- doas(1) man pages - 157 lines long<p>- doas(1) had 2 CVEs<p><i>sudo(8)</i><p>- sudo(8) - about 120,000 lines of code (100x more)<p>- sudo(8) man pages - 10 000 lines long<p>- sudo(8) had 140 CVEs<p>The CVEs comparison is from 'all time' and as sudo(8) has longer history then doas(1) - it will (at least statistically) have more of these ... I expect doas(1) to have about 5-10 CVEs when they would have the same life span.<p>Regards,<p>vermaden
Another tool getting reimplemented in Rust under a weak license.<p>Do people want to ruin the Linux Eco system or what? It only takes on distro to close its modified source(backports, bugfixes etc) for the entire Eco system to start to crack.
> But because it's written in C, sudo has experienced many vulnerabilities related to memory safety issues.<p>Or because it's not been developed with enough care?<p>I for one think that there is no unsafe language, only careless programmers.