sudo vs sudo-rs: What the Rust Version of sudo Changes

Fri, 01 May 2026 19:27:08 +0800

sudo is one of the most familiar commands for Linux users. It allows a normal user to temporarily run commands with higher privileges within an authorized scope, such as installing software, changing system configuration, or restarting services.

Recently, sudo-rs has attracted more attention because Ubuntu 25.10 starts using the Rust implementation sudo-rs by default to replace classic sudo. For ordinary users, the command on the surface is still sudo. The real change is underneath: the implementation being executed may already be the Rust version of sudo.

This raises two natural questions:

Is something wrong with classic sudo?
Will sudo-rs affect daily use and server configuration?

The short answer is: ordinary desktop users basically do not need to worry; if you maintain servers, have written complex sudoers rules, or rely on special sudo behavior, you should test carefully.

What Is sudo-rs?

sudo-rs is an implementation of sudo / su written in Rust. Its goal is not to create a completely different new command, but to reimplement the main features of classic sudo while using Rust’s memory-safety properties to reduce common security risks.

Classic sudo is mainly written in C. It has a long history and a very complete feature set. That maturity brings stability, but it also brings maintenance burden. Much of the code comes from very early Unix/Linux use cases, with many compatibility paths, extensions, and edge-case handlers added over time.

sudo-rs chooses to reimplement it for several reasons:

reduce memory-safety issues with Rust;
use a more modern code structure to lower maintenance difficulty;
remove some historical features and risky default behaviors;
attract new contributors familiar with Rust;
provide a more auditable foundation for future privilege-elevation tools.

However, sudo-rs is not a 100% compatible replacement for classic sudo. It is still under development. Some traditional features have not been implemented yet, and others may never be implemented.

What Ordinary Users Will Notice

For ordinary users, very little changes.

You still use it like this:

`1`	`sudo apt update`

Or:

`1`	`sudo systemctl restart nginx`

In Ubuntu 25.10, sudo points to sudo-rs. Users do not need to change commands to sudo-rs, and common sudo calls in scripts will not immediately fail because of a command-name change.

The most visible change is password input feedback. sudo-rs shows asterisks by default when you type the password. Classic sudo can also be configured to behave this way, but many distributions default to showing no characters.

Some error and warning messages may also use different wording. For example, password failures, permission problems, and incompatible configuration may show prompts that are not exactly the same as before. This has little impact on human users, but scripts that parse sudo’s error output should be checked.

What Administrators Should Watch

System administrators and advanced users are the ones who need to pay attention.

The classic sudo ecosystem is large, and many servers have complex sudoers configurations. These configurations may include command-argument matching, environment-variable control, logging, email notifications, PAM behavior, and host-group policies.

sudo-rs currently has some differences from classic sudo. For example, the original article notes that sudo-rs does not include classic sudo’s sendmail support. Some environments used sendmail to send notifications about sudo usage, and those setups will need another approach when migrating.

For authentication, sudo-rs uses PAM. This means behaviors such as resource limits and umask should be configured more through PAM, rather than relying entirely on the sudoers file. If you previously handled many details in sudoers, verify that those rules still work before switching.

Another important change is wildcard support in command argument positions. sudo-rs does not support wildcards in command argument positions, in order to avoid common sudoers configuration mistakes. This is good for security, but it may affect existing rules.

How Ubuntu Handles sudo and sudo-rs

Starting with Ubuntu 25.10, the system uses sudo-rs by default. Users continue typing sudo, while the Rust implementation runs underneath.

Classic sudo has not disappeared immediately. During Ubuntu’s transition, classic sudo is still kept as sudo-ws. If you truly need the traditional implementation, you can use sudo-ws, or switch the default sudo through the alternatives system.

The switching command looks like this:

`1`	`sudo update-alternatives --config sudo`

That said, ordinary users should not actively switch back to classic sudo. If you have not customized sudoers and do not rely on special behavior, following the distribution default is simpler.

If you want to test on older Ubuntu versions, sudo-rs has been available from the universe repository since Ubuntu 24.04. Other distributions may also provide packages, but command names and integration methods may differ.

Why sudo-rs Uses Rust

sudo is a high-privilege tool. If this kind of tool has a vulnerability, the consequences can be much more serious than with ordinary commands. Historically, sudo has had several privilege-escalation vulnerabilities.

Rust’s advantage is memory safety. Through ownership, borrow checking, and the type system, it reduces common problems such as dangling pointers, out-of-bounds access, and use-after-free. This does not guarantee that the program is absolutely safe, but it can reduce a class of vulnerabilities common in C/C++ projects.

For a tool like sudo, which sits in a security-sensitive position for a long time, rewriting it in a safer language has practical meaning. It is not just “Rust for Rust’s sake”; it is an attempt to reduce maintenance and audit cost.

Of course, language cannot solve every security problem. Permission-check logic, configuration parsing, PAM interaction, environment-variable handling, logging, and user experience still require careful design and long-term testing.

sudo-rs Is Not the Only Alternative

There have always been other alternatives in the sudo ecosystem.

One common example is doas. It comes from OpenBSD and is designed to be simpler, with a smaller configuration surface. Some users prefer it because it is not as complex as sudo.

There are also some Rust or systemd-related alternatives, such as RootAsRole and systemd’s run0. However, these tools do not have exactly the same goals or target scenarios.

For most Linux distributions, sudo is still the default choice. The significance of sudo-rs is that it tries to keep user habits unchanged while replacing the underlying implementation with a more modern codebase.

What to Check Before Migrating

If you are just a personal desktop user, follow the distribution default.

If you maintain servers or workstations, check the following:

Whether there are complex /etc/sudoers or /etc/sudoers.d/ rules.
Whether command-argument wildcards are used.
Whether sudo email notifications are relied on.
Whether scripts parse sudo’s error output.
Whether sudoers controls umask, resource limits, or environment variables.
Whether LDAP, PAM, SSSD, or other authentication integrations are used.
Whether automation/deployment scripts assume classic sudo behavior.

You can first verify on a test machine:

sudo -l

Then run key maintenance commands and confirm that permissions, environment variables, and logging behavior match expectations.

Should You Switch to sudo-rs Manually?

If your distribution has already switched by default, ordinary users can accept it directly. If you are using a server or production environment, do not manually replace sudo just for experimentation.

A safer process is:

install sudo-rs in a test environment;
verify existing sudoers configuration item by item;
check PAM, logging, auditing, and automation scripts;
confirm the rollback path;
migrate after the distribution provides stable integration.

This kind of tool sits on the privilege chain, so it is not enough to judge it by whether a few commands can run. The real test is boundary conditions and failure cases.

Summary

sudo-rs is a Rust implementation of classic sudo, aiming to support sudo’s core features with a more modern and safer codebase. Ubuntu 25.10 enabling it by default shows that major distributions are starting to push this direction seriously.

For ordinary users, the change is small. You still type sudo; only the underlying implementation may have become sudo-rs. At most, you may notice password asterisks or slightly different error messages.

For system administrators, compatibility is the key issue. If the system has complex sudoers rules, sendmail notifications, PAM integration, argument wildcards, or scripts that depend on sudo output, test before upgrading.

Rewriting in Rust is not a magic cure, but for a security-sensitive tool like sudo, reducing memory-safety risk and maintenance complexity is a direction worth taking seriously.

References:

Sudo on KnightLi Blog