Ubuntu will include a Rust-only rewrite of sudo in its 25.10 release, slated for October of this year.

Adopting sudo-rs By Default in Ubuntu 25.10

The sudo-rs project is designed to be a drop in replacement for the original tool. For the vast majority of users, the upgrade should be completely transparent to their workflow. That said, sudo-rs is not a “blind” reimplementation. The developers are taking a “less is more” approach. This means that some features of the original sudo may not be reimplemented if they serve only niche, or more recently considered “outdated” practices.

This effort is part of Canonical’s north star of “oxidising” Ubuntu. They want to improve Ubuntu’s stability and resilience by replacing the most core programs with memory-safe alternatives. And obviously sudo is a great place to start. Its role is to let trusted user accounts run commands as another user — including root. A vulnerability in sudo is obviously a worst-case scenario: if an attacker could trick sudo into providing root access, then it’s game over and the system is fully compromised.

Since sudo is written in C, it has no protection against these types of problems. In fact, attacks have happened in recent memory. In 2021, Qualsis published a CVE where calling sudoedit -s '\' allows an attacker to use environment variables to get root access on any default sudo implementation. This bug had been lurking for about ten years, which is about as close to a “holy shit” moment as I usually get with security issues.

So what’s left before sudo-rs can ship by default in Ubuntu? They have a few things to finish before launch: proper internationalization support, and some attempts at reducing the binary size.

I also want to revisit a fun point from the initial announcement: they’re intentionally dropping features and breaking compatibility with regular sudo!

Naturally, they’re doing this in cases where they don’t expect that it will matter. You can see the complete list here, but it ranges from mundane stuff like “the sudoers file must be valid UTF-8,” which is fair enough in the Year of our Lord 2025. There is also stuff like “This will only work in a system with PAM, we should not rely on the sudoers file to specify things like umasks.” But then there was the one that really surprised me: they are removing sendmail support from sudo.

Wait, sudo can send email? And not just to the regular mail spool destinations inside of Linux, but it can actually fire up sendmail and send an honest-to-God email directly? This surprised me, although I’m not familiar enough with system administration. When you’re not a system administrator, it’s really easy to imagine aggroing an administrator, who would be very happy to tell you that there are obviously systems where sendmail and sudo both run, but there isn’t any type of integrated mail spooler. It’s a variation on Zawinski’s law1 for sure, and since sudo is a command runner, it can read mail given the right input command. It’s only natural that it should want to send email back.