sudo-rs

sudo-rs copied to clipboard

Hi,

Your README recommends users trying to improve the security of their sudo start by installing rustup. This is rather unfortunate, as not only does the install process of rustup generally never include any validation at all (just pipe shell from this AWS-hosted site!), but rustup itself does not enforce signature verification of the binaries it ultimately runs on your system.

While non-memory-safe sudo is absolutely a concern, trusting multiple unrelated Internet servers fully to deliver binaries which will ultimately be used to build a setuid program is undoubtedly a much more serious concern.

Instead, recommending users use the system-provided Rust toolchain avoids introducing a new trusted third party.

seems like a reasonable worry for the future, but while this project is in development I see no issue with rustup

That's totally fair. One warning, from experience, trying to provide an MSRV which even just non-Debian users can reliably access is a massive pain if your dependency tree is at all bigger than it has to be. Not that a smaller dependency tree isn't also a great security outcome too!

This is a fair criticism, but given the current status of the project this isn't too big of a worry. In the future we hope to have signed binaries available for those who are willing to trust us directly. For those that want to compile sudo-rs themselves they can hopefully use a distribution package manager provided rust toolchain, or download a binary and validate the signature from the Rust website.

Looking further into the future we hope to get accepted into the different native package managers of different distributions, so we would hope to never see many people actually manually installing a compiler toolchain other than those developing sudo-rs.

That said, I think we might opt to just omit the entire rustup paragraph and let people figure this out themselves (if they cannot figure it out I'm not sure they should be compiling sudo-rs anyway). Or at the very least we can update the wording to indicate that rustup is just an easy way to get a rust compiler toolchain.

Note: we are working on this issue; you can check out the branch ubuntu-build is buildable with rustc on Ubuntu 22.04 LTS. One commit in it is no longer needed on more recent Ubuntu's, the other one is a patch that I think we can easily include in the mainline repository.

Update on this issue:

• the MSRV for sudo-rs (1.70) is enforced in CI, and we are holding it there for the moment
• ubuntu-build is still available for compiling with 1.66 if absolutely needed
• next Ubuntu release (Mantic Minotaur) will have >=1.71, so we can build out of the box there
• Debian trixie seems like it will have 1.70 soon as well

I.e. pretty soon(tm) we can build on the Debian toolchain (which, as fas as I understand, is completely independent of things like rustup, crates.io, and so on).

Note: since (as I'm writing this today) rustc 1.70 is in Debian unstable, and in fact sudo-rs is in Debian experimental, I think we are now firmly detached from a necessary dependency on rustup or the crates.io supply chain, or a single trusted third party.

Furthermore, we try to provide a reproducible build system for our releases based on crates.io.

I hope that resolves this important issue satisfactorily.

Thanks for opening it: as we've demonstrated in the past months, we care about our "software supply chain" security (by eliminating almost every dependency we had) and it's good to see that other people care about this too.

Awesome work! Thanks so much for tackling this.