Adopting sudo-rs By Default in Ubuntu 25.10

Introduction

Following on from Carefully But Purposefully Oxidising Ubuntu, Ubuntu will be the first major Linux distribution to adopt sudo-rs as the default implementation of sudo, in partnership with the Trifecta Tech Foundation

The change will be effective from the release of Ubuntu 25.10. You can see the Trifecta Tech Foundation’s announcement here.

What is sudo-rs?

sudo-rs is a reimplementation of the traditional sudo tool, written in Rust. It’s being developed by the Trifecta Tech Foundation (TTF), a nonprofit focused on building secure, open source infrastructure components. The project is part of the Trifecta Tech Foundation’s Privilege Boundary initiative, which aims to handle privilege escalation with memory-safe alternatives.

The sudo command has long served as the defacto means of privilege escalation on Linux. As described in the original post, Rust provides strong guarantees against certain classes of memory-safety issues, which is pivotal for components at the privilege boundary.

The sudo-rs team is collaborating with Todd Miller, who’s maintained the original sudo for over thirty years. sudo-rs should not be considered a fork in the road, but rather a handshake across generations of secure systems. Throughout the development of sudo-rs, the TTF team have also made contributions to enhance the original sudo implementation.

The sudo-rs project is designed to be a drop in replacement for the original tool. For the vast majority of users, the upgrade should be completely transparent to their workflow. That said, sudo-rs is a not a “blind” reimplementation. The developers are taking a “less is more” approach. This means that some features of the original sudo may not be reimplemented if they serve only niche, or more recently considered “outdated” practices.

Erik Jonkers, Chair of the Trifecta Tech Foundation explains:

While no piece of software - in any language - is flawless, we believe the transition to Rust in systems programming is a vital step forward, it is very exciting to see Ubuntu committing to sudo-rs and taking the lead in moving the needle.

Sponsoring Mainstream Adoption

Leading the mainstream adoption of a replacement to such a universally understood tool comes with responsibility. Before committing to ship sudo-rs in Ubuntu 26.04 LTS, we’ll test the transition in Ubuntu 25.10. We’re also sponsoring the development of some specific items, which has manifested as Milestone 5 in the upstream project:

• Coarse-grained shell escape prevention (NOEXEC) on Linux (See PR #1073)
• The ability to control AppArmor profiles (First PR #1067)
• A sudoedit implementation
• Support for Linux Kernels older than version 5.9

The final item may seem out of place, but because Ubuntu 20.04 LTS is still in support, without this work there could be situations where sudo fails to function if, for example, a 26.04 LTS OCI container was run on a 20.04 LTS host!

The team have also already begun work on ensuring that the test-suite is as compatible as possible with Ubuntu, to ensure any issues are caught early.

This isn’t just about shipping a new binary. It’s about setting a direction. We’re not abandoning C, or even rewriting all the utilities ourselves, but by choosing to replace one of the most security-critical tools in the system with a memory-safe alternative, we’re making a statement: resilience and sustainability are not optional in the future of open infrastructure.

Progress on coreutils

Since the initial announcement, we’ve been working hard to more clearly define a plan for the migration to uutils coreutils in 25.10 and beyond. Similarly to our engagement with the Trifecta Tech Foundation, we’re also sponsoring the uutils project to ensure that some key gaps are closed before we ship 25.10. The sponsorship will primarily cover the development of SELinux support for common commands such as mv, ls, cp, etc.

The first step toward developing SELinux support was to add support for automated testing in Github Actions, since then the maintainers have begun work on the actual implementation.

The other feature we’re sponsoring is internationalisation support. At present, some of the utility implementations (such as sort) have an incomplete understanding of locales, and therefore may yield unexpected results. We expect that these two features should land in time for us to ship in 25.10, and we’ll continue to work with the uutils project throughout the 26.04 LTS cycle to close any remaining gaps we identify in the interim release.

One of the major concerns outlined in Julian’s post is about binary size. We’ve got a few tricks we can play here to get the size down, and there is already some conversation started upstream in Debian on how that might be achieved. There are also security implications, such as AppArmor’s lack of support for multi-call binaries. We’re currently working with the respective upstreams to discuss addressing this systematically, through in the interim we may need to build small wrapper binaries to enable compatibility with existing AppArmor profiles from the start.

Migration Mechanics

Julian Klode posted recently on the Ubuntu Discourse outlining the packaging plan that will enable us both to migrate transparently to uutils coreutils, but also provide a convenient means for users to opt-out and switch back to GNU coreutils if they wish, or if they identify a gap in the new implementation. I expect this will be rare, but we want to make sure it’s as easy as possible to revert, and will be documenting this in detail before release.

Replacing coreutils isn’t as simple as swapping binaries. As an Essential package, its replacement must work immediately upon unpacking without relying on maintainer scripts, and without conflicting files across packages. To solve this, we’re introducing new coreutils-from-uutils and coreutils-from-gnu packages, as well as coreutils-from itself. For all the gory details, see the Discourse post!

The packaging work required to switch to sudo-rs is somewhat less complicated than with coreutils. The package is already available in Ubuntu (which you can still test on Ubuntu 24.04, 24.10 and 25.04 with oxidizr!), but unlike coreutils, sudo is not an Essential package, so we’ll be able to make use of the Debian alternatives system for the transition.

Summary

Things are progressing nicely. We’ve established strong, productive relationships and are sponsoring work upstream to make these transitions viable.

We’ve got a strategy for migrating the default implementation of coreutils and sudo in Ubuntu 25.10 which will enable a seamless revert in cases where that is desired. While sudo-rs will be the default in 25.10, the original sudo will remain available for users who need it, and we’ll be gathering feedback to ensure a smooth transition before the 26.04 LTS.

Additionally, we’ve begun investigating the feasibility of providing SequoiaPGP and using it in APT instead of GnuPG. SequoiaPGP is a new OpenPGP library with a focus on safety and correctness, written in Rust. The GnuPG maintainers have recently forked the OpenPGP standard and are no longer compliant with it. Sequoia provides a modern alternative to GnuPG with strict behavior, and is already used in various other systems. More details to follow!

Stay tuned!

Found and installed sudo-rs on my Plucky from universe repository but I don’t find it in launchpad: page: https://launchpad.net/ubuntu/+source/sudo-rs does not exist

try rust-sudo-rs … this is the source package name (launchpad only operates on source packages)

https://launchpad.net/ubuntu/+source/rust-sudo-rs

So what exactly does it do differently in day to day use?

Given that upstream has already stated that centrialized sudoers management via LDAP is out-of-scope for the project, I hope that the current sudo implementation will be maintained and kept around at the very least for the entire lifecycle of 26.04 LTS.

Just to be aware: you can use LDAP with sudo-rs, you will just have to setup something like SSSD for PAM and NSS, something most LDAP based setups already do. If you do that, everything should work as is. The most important thing we don’t support and don’t intend to is to distribute the sudoers file using LDAP (with ldiff syntax). We believe such functionality is much better handled by external tooling.

A much welcomed move, great on Ubuntu and Canonical. As a Bona Fide exploiter I can say without a second thought that sudo has been the victim and tool of many privilege escalation vulnerabilities due to a wide set of memory -and other attacks.

Sudo has served a major goal in linux for many years, and will continue to do so through sudo-rs. I hope to find Todd over at that project someday.

@mpanella Given that upstream has already stated that centrialized sudoers management via LDAP is out-of-scope for the project , I hope that the current sudo implementation will be maintained and kept around at the very least for the entire lifecycle of 26.04 LTS.

Friends don’t let friends use sudo LDAP integration.

Sounds exciting! I reckon i’ll have an alias for sudo-rs to sudo

That’s your call and I respect that, I was merely pointing out that there are scenarios in which sudo-rs is not a simple drop-in replacement of the current sudo package.

My question, in fact, was whether or not Ubuntu intends to commit to keeping the original sudo package around for the 26.04 LTS until there’s a migration path that does not involve a complete overhaul of the way sudoers policies are distributed to downstream systems.

I know that Canonical’s adsys tooling does not use sudoers.ldap and instead syncs sudo-related GPO policies as drop-in files in /etc/sudoers.d, but the feature is gated by an Ubuntu Pro subscription and it only works if your IAM system is Active Directory, so if you’re using any other IAM based on LDAP/Kerberos (for instance FreeIPA) you’re pretty much left without a clear migration path.

Yes! The original sudo package will still be available in 26.04 (and probably a few releases after) and you’ll be able to choose which you use with the alternatives system.

This will all be documented with the release

So what exactly does it do differently in day to day use?

That’s the best thing! Absolutely nothing. For the average user it should function completely identically. It’s simply built in a way that makes it much more difficult for malicious actors to exploit.

Great move. I have 25.10 installed and ready for the updates to flow in. Exciting times ahead in this release.

Will this change currently-existing installs? That is, will sudo be replaced by sudo-rs when Ubuntu is updated? If I want to stick to sudo, what options do I have?

I think it would depend on your definition of “day-to-day use.” In my definition, basically nothing changes. It doesn’t do anything differently. Any supported feature works identically. The niche features are specialized and aren’t used on an average system. Canonical is sponsoring any missing features they think they need. I suppose anyone else can do the same.

In the meantime, if Ubuntu 25.10 proves that sudo-rs isn’t a suitable replacement after all, legacy sudo is an apt command away.

As with most implementation details, enthusiasts and experts may have a vested interest (which is being catered to), but average users aren’t expected to even notice.

This is a fundamental misrepresentation of the purpose of this change–see here in OP:

Rust isn’t just any other language–using it provides countless memory safety guarantees. We get peace of mind that seriously matters for something like this

This will replace sudo when you upgrade to Ubuntu 25.10 in late October.

If you want to continue using your current sudo, all you’ll have to do is reinstall it after your upgrade. This is probably as simple as sudo apt install sudo if package names don’t change, but keep an eye on the release notes for 25.10 for instructions!

writing ‘sudo-rs’ is slightly more awkward than ‘sudo’ and we’re also not used to it, so if both are present in 25.10 I don’t think sudo-rs will be tested much

As stated in the original post, sudo (sudo.ws) will still be available. The transition will utilize the Debian alternatives system, allowing you to switch between the two versions.