91views
Securing your Ubuntu 26.04 system begins with one of the most critical components: how privilege escalation is managed. In this release, Canonical introduces a major change by making sudo-rs the default replacement for the traditional sudo utility.
This Rust-based reimplementation is designed to provide the same core functionality as the classic C-based sudo, while enhancing memory safety and reducing the overall attack surface. In this article, we’ll take a closer look at what sudo-rs brings to Ubuntu 26.04, how it compares to the traditional sudo, and how you can switch between the two implementations if needed.
Software Requirements
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Ubuntu 26.04 Resolute Raccoon |
| Software | sudo-rs (default), sudo (optional alternative) |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions | # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
What Is sudo-rs?
sudo-rs is a reimplementation of the traditional sudo utility, written from scratch in Rust by the Trifecta Tech Foundation. The package also includes Rust-based su and visudo implementations. The project’s primary goal is to improve the security of one of the most critical components in any Linux system: the privilege escalation mechanism.
The original sudo, written in C, has been a cornerstone of Unix-like systems for decades. However, its C codebase has historically been a source of memory safety vulnerabilities, including buffer overflows and use-after-free bugs. By rewriting sudo in Rust, sudo-rs eliminates entire categories of these vulnerabilities at the language level.
Canonical began integrating sudo-rs into Ubuntu starting with the 24.10 release cycle, and by Ubuntu 26.04, it ships as the default sudo provider. Consequently, when you run sudo on a fresh Ubuntu 26.04 installation, you are already using sudo-rs without any manual configuration required.
Checking Your sudo-rs Installation on Ubuntu 26.04
To confirm which sudo implementation is active on your Ubuntu 26.04 system, start by checking the version output:
$ sudo --version
If sudo-rs is active, the output is a single line identifying sudo-rs and its version number. In contrast, the traditional sudo displays a multi-line string beginning with Sudo version:
$ sudo.ws --version
Additionally, you can verify the installed packages directly using dpkg:
$ dpkg -l | grep -E 'sudo-rs|^ii sudo '
Note that both packages can be installed simultaneously on Ubuntu 26.04. The system uses the APT alternatives mechanism to determine which one is active. You can inspect this with:
$ update-alternatives --query sudo | grep -E "^(Status|Best|Value):"
The sudo-rs binary at /usr/lib/cargo/bin/sudo has a higher priority (50) than the traditional sudo at /usr/bin/sudo.ws (priority 40), so it wins in auto mode. Furthermore, you can verify the symlink chain:
$ ls -la $(which sudo)
Key Behavioral Differences Between sudo-rs and Traditional sudo
While sudo-rs aims for compatibility with the original sudo, our testing on Ubuntu 26.04 revealed several concrete behavioral differences. The following comparison table summarizes the key findings:
| Feature | sudo-rs | Traditional sudo |
|---|---|---|
| Password prompt | [sudo: authenticate] Password: | [sudo] password for linuxconfig: |
| Password feedback | Asterisks (**********) | Blank (no visual feedback) |
SUDO_TTY variable | Not set | Set (e.g. /dev/pts/0) |
MAIL variable | Not set | Set (e.g. /var/mail/root) |
| Timestamp storage | /run/sudo-rs/ | /var/lib/sudo/ |
Password Prompt and Feedback
The most immediately visible change is twofold. First, sudo-rs displays a different prompt format: [sudo: authenticate] Password: instead of the traditional [sudo] password for username:. Second, sudo-rs shows asterisks as you type your password by default, whereas traditional sudo provides no visual feedback at all. This pwfeedback behavior is built into sudo-rs by default, making the experience more intuitive for new users.
If you prefer the traditional silent behavior, you can disable this by adding the following line to your sudoers configuration using visudo:
$ sudo visudo
Then add:
Defaults !pwfeedback
Environment Variable Differences
Our testing confirmed that sudo-rs does not set two environment variables that traditional sudo provides: SUDO_TTY and MAIL. All other standard sudo variables (SUDO_USER, SUDO_UID, SUDO_GID, SUDO_HOME, SUDO_COMMAND) are set identically by both implementations.
You can verify this yourself:
$ sudo printenv SUDO_TTY (no output) $ sudo.ws printenv SUDO_TTY /dev/pts/0
Timestamp Storage
sudo-rs stores its authentication timestamps in /run/sudo-rs/, completely separate from the traditional sudo’s /var/lib/sudo/ directory. This means that invalidating timestamps with sudo -k in one implementation does not affect the other. If both packages are installed and you switch between them, each maintains its own credential cache independently.
Logging Behavior
sudo-rs logs authentication events to the system journal, similar to the original. Nevertheless, the log format and level of detail may differ slightly. You can inspect sudo-related log entries using:
$ journalctl -e | grep sudo
sudo-rs Compatibility and Limitations
Although sudo-rs covers the vast majority of common use cases, there are some limitations and differences worth noting on Ubuntu 26.04.
The su Command Is Not Replaced
Despite the package name (“sudo and su implementations”), the system’s su command on Ubuntu 26.04 remains the traditional version from util-linux:
$ su --version
However, sudo-rs does provide its own Rust-based su implementation, available as su-rs:
$ su-rs --version
Unlike sudo, there is no alternatives entry for su, so su-rs must be called explicitly. Note that su-rs requires a root password to be set (Ubuntu does not set one by default), so you would need to run sudo passwd root before using it.
Unsupported Sudoers Directives
As of the sudo-rs version shipped with Ubuntu 26.04, some advanced sudoers directives are not supported. These include certain options related to SELinux roles, some Defaults settings, and specific PAM session configurations. If sudo-rs encounters an unsupported directive in your sudoers file, it will typically log a warning and ignore the directive rather than failing outright.
Additionally, the sudo-rs visudo only validates /etc/sudoers itself, while the traditional visudo.ws also checks files in /etc/sudoers.d/:
$ sudo visudo -c /etc/sudoers: parsed OK $ sudo visudo.ws -c /etc/sudoers: parsed OK /etc/sudoers.d/README: parsed OK
Plugin System
Traditional sudo supports a plugin architecture that allows third-party extensions for logging, approval workflows, and I/O capture. sudo-rs does not currently implement this plugin system. If your environment depends on sudo plugins (for example, for centralized audit logging), you may need to continue using the traditional sudo implementation.
Command-Line Flag Compatibility
Our testing confirmed that all commonly used flags work identically between both implementations: -l, -i, -s, -E, -S, -A, -n, -k, -K, and --preserve-env all produced the same behavior. One minor difference is that sudo-rs -V exits with code 0, while sudo.ws -V exits with code 1.
Switching Between sudo-rs and Traditional sudo
Ubuntu 26.04 makes it straightforward to switch between sudo-rs and the traditional sudo implementation. Both packages use the APT alternatives system with sudo as the master link controlling sudo, sudoedit, and visudo simultaneously.
Understanding the Alternatives System
On a default Ubuntu 26.04 system, both packages are already installed. The alternatives system selects the active one based on priority:
$ sudo update-alternatives --display sudo
Since sudo-rs has a higher priority (50 vs 40), it is selected automatically. You can override this by manually setting the active alternative.
Switching to Traditional sudo
To switch to the original C-based sudo, use update-alternatives:
$ sudo update-alternatives --set sudo /usr/bin/sudo.ws
Verify the switch was successful:
$ sudo --version
The output should now display the traditional Sudo version string.
Alternatively, you can invoke the traditional sudo directly at any time without switching the default:
$ sudo.ws --version
Switching Back to sudo-rs
To return to the Rust-based implementation, either set it explicitly or restore auto mode:
$ sudo update-alternatives --set sudo /usr/lib/cargo/bin/sudo
Or restore automatic priority-based selection:
$ sudo update-alternatives --auto sudo
Confirm the change:
$ sudo --version
IMPORTANT
Your sudoers configuration files (/etc/sudoers and files in /etc/sudoers.d/) are preserved when switching between implementations. Both packages read the same configuration files. However, remember that sudo-rs may silently ignore directives it does not support, so test your sudo configuration after switching.
[IMAGE PLACEHOLDER: Terminal showing the process of switching from sudo-rs to traditional sudo and back]
Conclusion
Ubuntu 26.04’s adoption of sudo-rs as the default privilege escalation tool represents a meaningful step toward improved system security through memory-safe software. Our testing confirmed that for the vast majority of users and administrators, the transition is seamless: all commonly used flags work identically, and standard sudoers configurations are parsed correctly. The practical differences boil down to cosmetic changes (a different prompt format and password asterisks), two missing environment variables (SUDO_TTY and MAIL), and the absence of the plugin system. Moreover, the fact that both implementations coexist on the same system and can be invoked directly or switched via update-alternatives ensures that users with advanced requirements always have a fallback path. As sudo-rs continues to mature, the remaining gaps will narrow further, making it a solid foundation for Ubuntu’s security model going forward.
add a comment
Ubuntu 26.10 Stonking Stingray Officially Announced for October 15 Release
Canonical has added Ubuntu 26.10 to the public roadmap, confirming the codename “Stonking Stingray” and a targeted release date of October 15, 2026. Ubuntu...
How to Install and Configure PostgreSQL on Ubuntu 26.04
PostgreSQL is a robust, open-source object-relational database system that has been trusted in production environments worldwide for decades. If you’re...
htop 3.5 System Monitor Released with Backtrace Screen, New Meters
htop 3.5 has been released as the first major upstream update in about a year, bringing interface refinements, new monitoring...
How to Getting started with Portmaster
What is portmaster Every time you connect to the internet, dozens of applications on your computer are making network connections...
