HN Distilled

Essential insights from Hacker News discussions

Memory-safe sudo to become the default in Ubuntu

Original Article

Hacker News Discussion

The Case for Sudo Alternatives and Simplification

A significant theme revolves around the desire for simpler, more secure alternatives to sudo, like doas or sudo-rs, often at the cost of feature richness. The discussion includes arguments for and against complete rewrites versus feature reduction in the existing codebase.

  • "Sudo had quite a few problems with security, partially because of this doas was developed for BSD. Some problems come from the huge amount of features(ldap, easter eggs, ...). sudo-rs reduces the problems by not implementing those features." - stop50
  • "OpenBSD did this with their doas utility" - throw0101a (referring to creating a "sudo-lite" without a rewrite)
  • "It's a good idea to have a smaller, safer sudo alternative as the default, as OpenBSD does with doas. Users can install sudo if they need it." - mrweasel
  • "Ripping out almost all the cruft that’s accumulated over the years, and adding back something sane (maybe BSD jails) would work a lot better." - hedora

Memory Safety and Security Concerns

A core argument for sudo-rs (and other alternatives) is improved security, especially concerning memory safety, although participants acknowledge this is only one aspect of overall security. Beyond memory safety, historical vulnerabilities contribute to the desire for alternatives like doas.

  • "It can't end up with similar problems, due to the memory safety guarantee." - literalAardvark
  • "There are many types of security problems beyond memory safety issues." - ch_123
  • "There's been cases[1], of particular note, the unescape overflow one[2]. This one scathed the reputation of sudo enough to get people pushing for alternatives such as doas. The track record of vulnerabilities in general leaves a bit to be desired, even outside of memory vulns." - mid-kid
  • "Yes it has" - Maxatar (In response to "Did sudo have memory problems?")

Feature Trade-offs: LDAP and Centralized Management

The discussion highlights a tension between reducing features for security and maintaining essential functionality, especially regarding LDAP for centralized management of permissions. The Debian's approach of using SSSD is mentioned as a compromise.

  • "Removing LDAP is a huge problem for the more important sudo deployments though: centralized management of permissions is kind of a vital function." - XorNot
  • "Those people can keep using sudo; it’s not going away. The rest of us get better security." - Filligree
  • "Debian is currently in the process of dropping the direct LDAP support in sudo, in favor of sssd." - JoshTriplett
  • "The features we specifically don’t support are those related to direct LDAP support within sudo, so things like loading a sudoers file directly from LDAP. Sudo-rs will use any user retrieved via NSS, such as when configured using SSSD to load LDAP users." - rnijveld

Naming and User Expectations

A user argued that alternatives to sudo should have distinct names to avoid confusion and unmet expectations, drawing parallels with OpenBSD's approach with doas.

  • "By all means, write a better, safer, smaller, more secure version of sudo, but don't have command be sudo or sudo-rs, name it something else. Again OpenBSD has doas, which to the users clearly isn't sudo, so users don't expect it to behave as sudo or configure as sudo." - mrweasel

Setuid Concerns and Alternative Architectures

The debate considers the inherent risks of sudo being a setuid binary and proposes alternative approaches like systemd-run that avoid this. The discussion also touches on the complexity of the Linux security model overall.

  • "I am not sure if memory-safety is the biggest issue in sudo design. I find the fact that it is a setuid binary a much bigger issue because a bug can possible result in privilege escalation." - kokada
  • "I found an alternative implementation that doesn't rely in being a setuid binary like systemd-run0 much more interesting from a security perspective, but I am no security expert." - kokada
  • "There's value in always starting processes from a known-secure environment rather than attempting to transform a user's arbitrary environment into a secure one." - JoshTriplett
  • "The problem is that Linux keeps adding more and more levels of Rube Goldberg machine to its security model, so now literally no one understands how a default minimal install of, say, Ubuntu works." - hedora