sudo and su

Prossimo Initiative
ISRG celebrates 10 years of helping build a brighter Internet →
sudo and su logo

Work Plan

Milestone 0: Preparation

  • System architecture and requirements
  • Project setup
  • Sudoers file parsing

Milestone 1: Drop-in replacement with a default config

  • Core sudo pipeline from policy verification to minimal command execution without security features
  • Sudoers based policy, with limited feature support
  • Authentication based on PAM
  • Command execution using exec with basic signal and fd passing
  • Test for Ubuntu 22.04 with a default sudoers config
  • Setup testing framework

Milestone 2: Security parity

  • Core sudo pipeline with full sanitation of signals, file descriptors, limits, ptrace, etc. and more efficient command execution
  • Add su implementation
  • Testing for full security compliance
  • SELinux support
  • AppArmor support
  • Wider configuration feature flag support
  • User facing documentation

Milestone 3: Subcommand auditing

  • Support for subcommand interception

Milestone 4: Enterprise features

  • LDAP support
  • Hostname matching for sudoers
  • Full audit and IO logging
  • Mail events
  • Authentication for passwd and Kerberos (without PAM)
  • Support for more than 16 user groups (group_file plugin)