But to be fair ...

Is it the implementation language being the main issue? Or is it the flexibility of extending it with plugins and that it is effectively a setuid tool, granting root access immediately when an unprivileged user starts the program (the privileges are reduced first when it has parsed the sudo config).

Sudo is a nice tool from the user's side. But security wise it's a disastrous approach. Privileges should first be elevated *after* the config has been parsed and the expected privilege level has been established. Then the tool should ideally jump to that privilege level directly.

This post introduces some new ideas ... https://tim.siosm.fr/blog/2023/12/19/ssh-over-unix-socket/

It's not a perfect approach in all cases. But it gets rid of the setuid issue.

#linux #sudo #security

sudo without a setuid binary or SSH over a UNIX socket

In this post, I will detail how to replace sudo (a setuid binary) by using SSH over a local UNIX socket. I am of the opinion that setuid/setgid binaries are a UNIX legacy that should be deprecated.

^{Siosm's blog}