Hacker Neue

Preferences
pona-a parent
udisks, not counting its dependencies, has 265,334 LoC. pmount, in contrast, has 19,978 LoC, or >13x less.

sudo, another setuid binary with a lot of policy code, has 210 CVEs / 430.150 kLoC = ~0.5 CVE per kLoC.

57.5% of CVEs have a CVSS >= 7, so 0.5 * 0.575 = 0.2875 CVE7/kLoC.

As a back-of-envelope estimate,

  udisks: 0.2875 CVE7/kLoC * 265.334 kLoC = ~76.28 critical CVEs;
  pmount: 0.2875 CVE7/kLoC * 19.9780 kLoC = ~5.7 CVEs.
bapak
It's incredible to me that sudo has that many LoC. I'd assume it would just ask the OS to execute something without restrictions, not have any logic to do so itself.
saagarjha
Asking the OS to do something without restrictions is not very difficult; sudo does that by virtue of its existence (it's setuid). The extra code is deciding when not to do that.
quotemstr
The problem isn't even setuid exactly but the size of the TCB. Setuid encourages a design in which tons of stuff that doesn't need to run as root runs as root anyway just because it's part of the same binary that needs elevated privileges. It's a footgun, but one can handle even a footgun safely if you practice trigger discipline and assume every gun is loaded.

Sudo (and other setuid programs) could in principle use privilege separation to punt everything not absolutely essential to an unprivileged context and thereby reduce the size of the TCB.

pinoy420 (dead)
pona-a OP
OpenDoas, a portable version of OpenBSD's doas, has 4260 LoC while doing most you'd expect. Sudo just has a lot of policy tools that most don't even know about, but add to its surface area.
puzzlingcaptcha
OpenDoas is used by default by Alpine linux for example.
pona-a OP
I remember last time I installed it, there was neither sudo nor doas preinstalled.
puzzlingcaptcha
sudo was officially depreciated in 3.15 and moved to community in the next release https://gitlab.alpinelinux.org/alpine/tsc/-/issues/1
rcxdude
sudo has a lot of machinery for representing complex policies which involve partial access to elevated (or just different) permissions, and with more conditions than just a correct password for the requesting user. The kernel itself just sees a binary running as root which may drop some of those permissions before starting another process.

(And this isn't even the most arcane part of linux userland authorization and authentication. PAM is by far the scariest bit, very few people understand it and the underlying architecture is kinda insane)

1718627440
Whats the problem with PAM? When setting up Auth, it was always the nicest part. Even the source code is quite readable.
einpoklum
When I'm told my code needs to "just" do X, it is usually the case that it needs to do a bunch of other stuff to enable X.
commandersaki
I think it's all the stuff to do with using a shared sudoers across a network of hosts. They could really clean up the language if they removed all of that gunk, as it's not reflective of how sudo is deployed these days.
lukaslalinsky
Even these days, I don't like having deployment SSH keys, or anything of that nature, unless the users are sudo-restricted. You might say that's obsolete in today's world of kubernetes/clouds, but there are many many use cases not met by these things and even for the clouds, someone needs to run them.
b112
There's also full sudo session logging and a logging server now, along with binaries to replay all those logs. Whether those LOC reflect the logging server, I don't know.

It literally replays in the terminal like a movie. It's nice, but I worry too much about the security implications (passwords captured, etc) to roll it out.

edit:

Ah yes, sudoreplay. You can see this video a playback via it. That's not the guy typing, that's sudoreplay time-accurately replaying what happens.

https://www.youtube.com/watch?v=8XHlowCiLaM

listeria
have you heard of script/scriptreplay?

  script --log-timing file.tm --log-out script.out
  # do something in a terminal session ...

  scriptreplay --log-timing file.tm --log-out script.out
  # replay it, possibly pausing and increasing/decreasing playback speed
ikekkdcjkfke
Why does anything at all need to be executed without restrictions though
salawat
Should your calculator ask who you are to compute 2+2? Contrary to popular belief, access control was stapled onto the computation space. There was a time when it was considered an unnecessary extravagance. It only became the night unbuckle mandate that machines give a shit about who you are once we started using computers as the basis of business systems.

Accounts thereafter, ruined everything.

dspillett
> It only became […] that machines give a shit about who you are once we started using computers as the basis of business systems.

One we started using connected machines for much and people with flexible though morals noticed that there was trust in the system(s) ripe for exploitation for fun or profit or both.

I remember SMTP hosts being open by default because it wasn't a problem, that very quickly changed once spam was noted as potentially profitable.

There were accounts all over from quite early on, in academic environments before businesses took much of an interest, if only to protect user A from user B's cockups ("rm -rf /home /me/tmp") though to some extent also because compute time was sometimes a billable item, just not on single user designed OSs¹.

[1] Windows, for example, pre NT & 95 (any multi-user features you might have perceived in WfW 3.x were bolted on haphazardly and quite broken WRT actual security)

Asooka
There is no such API on Linux, it is accomplished by sudo having the setuid bit set, which instructs the kernel to start it as root regardless of the current user. It's probably one of the worst legacy designs still in use - if any binary has setuid set, it runs as root, no questions asked. Conversely, you also have no way of elevating privileges for a running binary. This really should have been solved decades ago with a robust API for authentication and authorisation of running processes to gain and lose privileges, like what Windows has. Having a filesystem bit grant root privileges to a program is insane. There are probably a dozen CVEs waiting to be discovered with silently corrupting the filesystem and setting that bit on your binary.
SoftTalker
> if any binary has setuid set, it runs as root

More precisely, it runs as the file owner. Which is often root.

kayodelycaon
For anyone thinking this is unnecessarily pedantic, it’s not.

I didn’t exactly know what setuid did. I learned something today. :)

vbezhenar
You might also research what setgid bit on directories do, it's useful sometimes.
jowea
There's been some work on alternatives to setuid sudo. For example run0 from systemd.
j-krieger
I can't for the life of me find a list of 210 sudo CVE's. Are you sure this is correct?
pona-a OP
I got it from here [0]. I didn't notice it was a keyword search, so it's an overcount. Thanks for correcting me.

Going off its security advisories page [1] and this tracker [2], it seems to be around 43 CVEs, most rated high severity.

So the actual rate would be 43 CVE / 430 kLoC = ~0.01 CVE per kLoC, so ~2.65 CVEs for udisks and ~0.2 for pmount.

[0] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sudo

[1] https://www.sudo.ws/security/advisories/

[2] https://security.snyk.io/package/linux/debian%3A10/sudo

mrspuratic
You can search by CPE here: https://nvd.nist.gov/products/cpe/search and search for e.g.:

    cpe:2.3:a:sudo_project:sudo:*:*:*:*:*:*:*:*
    cpe:2.3:a:todd_miller:sudo:*:*:*:*:*:*:*:*
The above pair are the same "sudo", but split arbitrarily, perhaps varying by assigning authority preference. (There are some other "sudo" named projects too).

Those CPE IDs were determined by a brute-force-ish XML grep:

    xml select -N cpe-23="http://scap.nist.gov/schema/cpe-extension/2.3" -t --match '//cpe-23:cpe23-item' --if 'contains(@name,":sudo:")'  -v "@name" -n official-cpe-dictionary_v2.3.xml
Now, mapping CVE<->CPE is a tricker problem, it's not 1:1 (a single CVE can affect multiple product versions), and harder here since sudo (1986-ish) predates CVEs (1999) by a decade, and CPE (2009) by two. The most capable searches seem to be via non-free APIs or "vulnerability management $olutions", plus a few CLIs tools that need a lot of care and feeding.

This web service is free: https://cve.circl.lu/ But, you cannot search directly by CPE right now; you can start a search by vendor, then filter by product:

    todd_miller sudo: 58 vulnerabilities
    sudo_project sudo: 42 vulnerabilities
Except, for reasons I don't understand, there are duplicates because they somehow source "unique" but overlapping CVEs from multiple databases. The true number might be 50 combined, of varying severity/concern, but I give up now. I'm going to go mutter into my beard for a while.
tormeh
Ubuntu is switching to a Rust implementation of sudo: https://www.phoronix.com/news/Ubuntu-25.10-sudo-rs-Default

Repo here: https://github.com/trifectatechfoundation/sudo-rs

It's permissively licensed, unfortunately. Wonder why. It's not a library. But it ought to improve security in the long run.

Xylakant
> It's permissively licensed, unfortunately. Wonder why.

I've been loosely involved in setting this up, so I can say a little: The people that funded the initial work wanted it permissively licensed. My (somethwat informed) conjecture is that they rank making things secure - even in closed source apps that now could take the code - higher than barring closed forks. It also tracks with the Rust ecosystem in general - APL or derivates are very common in that ecosystem.

Vilian
Read the sudo license that argument don't make sense when sudo license is even more permissive
johnisgood
Do they not think that the switching is premature? I am pretty sure the Rust version has a lot of logic bugs that not have yet been found.
faceplanted
> I am pretty sure the Rust version has a lot of logic bugs

What makes you say that? I'm not trying to be argumentative, I'm genuinely interested.

jonathanstrange
Whenever a complex system is rewritten, there are a lot of bugs and regressions in it.
nullc
Often worse than the original system, because the writers expertise and motivation are different.

At times the authors who rewrite-in-foo are just motivated to expand the foo ecosystem and are not primarily interested in making a working program, much less in possession of the requisite subject matter expertise or focus.

djmips
All the rewriters are offended by the truth.
8 More Comments →
vlovich123
I’m a pretty big advocate on Rust and while Rust does protect classes of certain kinds of bugs and probably encourages better unit test hygiene and thus higher code quality, it does not protect against logic bugs and all the historical CVEs and thus it’s possible for previous exploits vectors to resurface. Thus it’s not an unreasonable prior to assume there are vulnerabilities lurking.

On the other hand, if the replacement isn’t targeting full sudo feature set and also reducing the amount of code and/or making architectural improvements like keeping most code not running as root, then the blast area of such logic bugs can be reduced.

throw0101b
> Some functionality is not supported, such as […] storing config in LDAP using sudoers.ldap, and cvtsudoers.

* https://github.com/trifectatechfoundation/sudo-rs?tab=readme...

Well that makes it useless for $WORK (for now), as we use LDAP as our central policy repo (and more generally our user account store). Will have to wait until (at least) that's implemented before we can even consider it.

> It's permissively licensed, unfortunately. Wonder why.

So it can be used distributed with fewer legal hassles.

udev4096
I am surprised that no one mentioned run0 [0] in this thread

[0] - https://www.freedesktop.org/software/systemd/man/devel/run0....

stephenr
> It's permissively licensed, unfortunately.

Well damn that's a shame. I just hate it when people let others use their work in a way they choose, that happens to be less restrictive than my own personal choices.

/s of course.

scheeseman486
Worked out for Linux, which remains a largely open, collaborative ecosystem. Meanwhile all the BSDs are good for are as less-good Linuxes that can be shoved into proprietary products. Google is choking out AOSP, which they can do because of Android's "less restrictive" license.

Copyleft licenses are demonstrably better for open source projects in the long run. We've had enough time to prove that out now.

jcranmer
The success of Linux over BSD has more to do with a lawsuit in the early 90's over whether or BSD infringed on Unix's source code, which made Linux the only viable open source Unix-like operating systems if you had to ask a legal department the question.

Look beyond the OS, and much of the tech stack is dominated by non-copyleft open source projects. Both the major web servers--Apache and nginx--are permissively licensed, for example. Your SSL stacks are largely permissively licensed; indeed, most protocol servers seem to me to largely be permissively licensed rather than copyleft.

And I should also point out a clear example where copyleft has hobbled an ecosystem: Clang and LLVM have ignited a major compiler-based ecosystem of ancillary tools for development such as language servers. The gcc response to this is... to basically do nothing, because tight integration of the compiler into other components might allow workarounds that release the precious goodness of gcc to proprietary software, and Stallman has resisted letting emacs join in this revolution because he doesn't want a dependency on non-copyleft software. An extra cruel irony is that Clang appears to be an existential threat to the proprietary EDG compiler toolchain, which would mean it took a permissive license to do what the goal of the copyleft license was in the first place: kill proprietary software.

Xylakant
I think it's pretty reductive to boil down linux' success to the choice of license. There's governance model, development model, institutional inerta, ... - and the linux ecosystem contains tons of permissively licensed pieces of software, some of which massively contributed to its success (the once-default webserver that came with its own permissive license, the APL). Even the kernel includes APL, BSD-2 Clause and MPL'ed code.

To the contrary, GNU Hurd is GPL'ed and is much less successful than the linux kernel.

umanwizard
That is an extremely cherry-picked example. There are plenty of examples of permissively-licensed software that is very successful, and no evidence that the license choice is why Linux won.
spookie
Good take. Also note the very well thought out decision from Linus and team to keep GPLv2, it is a balancing game.

In the end, if you want projects to succeed they need contributors. Unfortunately, some of them need to be reminded to play fair more than others, and in those cases the legalese helps.

stephenr
I'm not even going to point out the hundreds of counter examples to your argument.

You clearly didn't understand my point: I'm not arguing about whether GPL is better than MIT or BSD or even SSPL/etc.

My point is that if someone else chooses to release their software with less restrictions on it than I would choose, that's literally none of my business.

They wrote the fucking thing, they get to choose how it's fucking licensed.

Plenty of organisations (and thus people) skip using GPL licensed software due to inability or unwillingness to be bound by it's terms.

I'm still waiting for the day the GPL camp says they're not going to use things like OpenSSH, Apache, Nginx, Postgres, Python, Ruby - because they're too fucking permissive.

wesselbindt
Given that enshittification is a thing, and embrace extend extinguish is a thing, I'm inclined to agree with you there, without the /s.
tgbugs
This is yet another case where my policy of stripping out unnecessary dependencies has paid off. thunar-volman and kde solid both pull in udisks by default but back in 2017 I started maintaining a fork of the default Gentoo ebuild to eliminate the dependency on udisks. The thunar-volman case is a great example of why Gentoo use flags are useful no only for customizing a system but for security by making it easier to reduce the attack surface by disabling features that upstreams leave enabled by default.

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal