slovenlyrobot

For anyone with a modicum of C spending any amount of time in the sudo codebase, this isn't much surprise. It's the scariest piece of organically grown security-sensitive code I'm aware of still in popular use. It's jam-packed with features you've never even heard of, and has quite surprising functional changes across versions that never make the changelog and require diffing to discover.

It's hard to quantify that "this code is obviously wrong" feeling, for example liberal intermixing of concerns within a single procedure in many places of the code. Options with little to no security value (requiretty) documented as if they do, the ability to pass control to user-supplied policy plug-ins from a setuid binary, etc. There is just far too much going on to expect it not to regularly break

Ignoring the implementation, I think it's fair to say sudo is broken in concept, simply by trying to have this kind of expressive policy language in the first place. The set of skills required to safely expose some subset of functionality to an untrustworthy user is perfectly distinct from those involved in typical sysadmin.

throwaway2048

OpenBSD became concerned about sudo's codebase some time ago, and replaced it with the conceptually much simpler doas, which achives about 95% of what sudo does in real world usage.

https://man.openbsd.org/doas

gilgamesh3
I've heard of doas sometimes and it's much simpler than sudo, but it's powerful. Doas has two non-official port for Linux[0][1], but it would be great if someone developed an official tool like doas for Linux.

[0] https://github.com/multiplexd/doas

[1] https://github.com/slicer69/doas