Ubuntu 25.10 Embraces Rust-Based Sudo-rs for Enhanced Security

Canonical's Ubuntu 25.10 is poised to revolutionize system security by making sudo-rs, a Rust-based reimagining of the classic sudo utility, the default. This strategic move underscores a broader initiative to mitigate memory-related security bugs and fortify core system components.

Scheduled for release on October 9, 2025, Ubuntu Linux aims to provide users with a significantly reduced attack surface and heightened confidence in overall system security.

Sudo, a ubiquitous command-line utility in Unix-like systems, empowers authorized users to execute commands with elevated privileges, typically as root. The Rust-based reincarnation, sudo-rs, seeks to bring memory safety to this critical utility.

The Imperative of Memory Safety

Memory-safe code inherently prevents bugs such as buffer overflows and use-after-free vulnerabilities, which account for a substantial portion of severe software vulnerabilities. Organizations like the US government's CISA and Microsoft, through figures like Mark Russinovich, have been advocating for developers to adopt programming languages with memory safety guarantees (e.g., Rust, Go, and C#) for new projects and, where feasible, to rewrite existing ones.

The Genesis of Sudo-rs

The Internet Security Research Group's Prossimo project spearheaded Rust rewrite efforts starting in 2020. This initiative paved the way for projects like sudo-rs, which has garnered support through funding from AWS.

The Ongoing C vs. Rust Debate

The rise of Rust, while celebrated by many, remains controversial within the Linux maintainer community. This shift has created a crisis for those maintaining C and C++, languages that lack inherent memory safety guarantees. If the C and C++ communities fail to devise robust methods to ensure memory safety, developers using these languages may face increased maintenance burdens and eventual obsolescence.

Sudo's Vulnerability History

Marc Schoolderman, the lead engineer behind the sudo-rs rewrite, emphasized that Sudo has a history of serious memory safety vulnerabilities. He pointed to a list curated by Todd Miller, the developer of the C-based sudo.

Schoolderman elaborated, "The list highlights several memory safety vulnerabilities, including buffer overflows, heap overflows, and double frees. One of the earliest documented vulnerabilities dates back to 2001, known as 'Vudo,' which demonstrated how an attacker could gain full system access from limited initial access."

He further noted, "A more recent example is the 'Baron Samedit' bug, discovered by Qualys in 2021, which, like 'Vudo,' allowed for uncontrolled privilege escalation. This vulnerability is well-documented with numerous websites and YouTube videos illustrating its exploitation; it's identified as CVE-2021-3156."

Canonical's Commitment to Resilience

The Trifecta Tech Foundation stated in a blog post that "The decision to adopt sudo-rs aligns with Canonical’s commitment to Carefully But Purposefully increase the resilience of critical system software by adopting Rust. Rust is a programming language with strong memory safety guarantees that eliminates many of the vulnerabilities that have historically plagued traditional C-based software."

Erik Jonkers, chair of the Trifecta Tech Foundation, told The Register, "There are, of course, other critical utilities, but sudo is among the most critical; it mediates a critical privilege boundary on just about every open-source operating system that powers the Internet."

Jonkers added, "That fact, plus AWS's willingness to fund the work, is the reason ISRG's Prossimo selected it. For AWS, moving to memory-safe code as much as possible, for e.g., Amazon Linux, is very valuable. This is clear from the support AWS provided and now Canonical, who are interested in making their products more secure. Also, the response from the open source community shows people care about sudo."

Broader Adoption of Rust-Based Utilities

Jonkers highlighted that other essential components like zlib-rs and ntpd-rs have found adoption in Firefox and Let's Encrypt, respectively.

The initial stable release of sudo-rs occurred in late August 2023. Since then, it has been integrated into Chainguard's container-focused Linux distribution, Wolfi Linux OS, and other security-conscious distributions like NixOS and AerynOS. It is also packaged with Debian, Fedora, and Ubuntu.

Ubuntu's Oxidization Initiative

As The Register reported previously, Canonical's VP of engineering, Jon Seager, recognizes the value of adopting sudo-rs as a default. He stated, "While performance is high on my list of priorities, it’s not the primary driver behind this change. These utilities are at the heart of the distribution – and it’s the enhanced resilience and safety that is more easily achieved with Rust ports that are most attractive to me."

To evaluate these Rust-based utilities, Seager initiated a project called oxidizr, which simplifies replacing traditional Unix utilities with modern Rust alternatives on Ubuntu systems. Currently, oxidizr supports uutils coreutils, findutils, diffutils, and sudo-rs.

The Long-Term Transition

"It will take time to move the needle significantly," Jonkers acknowledged. "There is a focus on defensive security, network security, etc., in the market."

He concluded, "What we have seen with the reports by Google on Android transition, is that the impact, including cost savings, is huge. CISA marking memory unsafe languages as a bad practice is surely a step in the right direction. In Europe, we are working similarly towards including Memory Safety in Secure by Design policy, together with the Sovereign Tech Agency. The transition will take time, but I'm convinced the needle is moving."