Introduction

Privilege escalation in Linux has always walked a tightrope between convenience and risk. sudo allows users to perform tasks as root without sharing the root password—intuitive, powerful—but also a high-value target for exploits rooted in memory safety bugs. Ubuntu is now pioneering a transition: replacing the traditional C-based sudo with sudo‑rs, a Rust-powered rewrite engineered for safer root handling.

Understanding sudo‑rs

Built under the Trifecta Tech Foundation’s “Privilege Boundary” initiative, sudo‑rs is a from-scratch implementation of sudo and su created in Rust, a language celebrated for its compile-time guarantees against memory mishaps. Designed to behave like the classic “sudo,” it supports user prompts, permission checks, and environment handling, but keeps underlying behavior Turing-equivalent.

Why Ubuntu Is Betting on Rust

Rust’s strict approach to memory usage eradicates whole classes of vulnerabilities—like buffer overflows and use-after-free—that have long plagued system tools. For a utility as privileged as sudo, these protections offer exponentially greater security value. Ubuntu’s strategy, dubbed “Carefully But Purposefully Oxidising Ubuntu,” is a methodical shift toward memory-safe tooling.

Transitioning in Ubuntu 25.10 and Beyond

Canonical has announced that Ubuntu 25.10 (“Questing Quokka”), scheduled for October 9, 2025, will ship sudo‑rs as the default /usr/bin/sudo. This serves as a proving ground ahead of Ubuntu 26.04 LTS (April 2026). Regular users will find no change—commands, flags, and password prompts remain familiar—while Ubuntu monitors real-world feedback.

Ensuring Compatibility

To deliver a smooth switch, Canonical is funding “Milestone 5” development in sudo‑rs to implement:

• NOEXEC for shell escape control,

• AppArmor integration,

• sudoedit,

• Support for kernels older than 5.9 (critical for Ubuntu 20.04 containers).

A “less‑is‑more” philosophy guides, meaning legacy niche features—like LDAP-based sudoers—might remain absent. But, for most workflows, sudo‑rs should cover every essential feature.

Coexistence and Rollback

Ubuntu’s old sudo will still be available in the repositories and can be reselected via the alternatives system. Users needing features not yet ported to sudo‑rs can effortlessly revert.

Real-World Security Lessons

Earlier this year, two severe vulnerabilities—CVE‑2025‑32462 and CVE‑2025‑32463—were unearthed in the classic sudo. The first allowed host-restriction bypass, and the second enabled root shell execution via --chroot. These issues, undetected for over a decade, highlight the danger of systemic memory flaws.

By contrast, similar errors in sudo‑rs—such as CVE‑2024‑36454 (enumerating sudoers with -U) and CVE‑2025‑46718 (folge on enumeration)—were resolved in v0.2.6, demonstrating rapid responsiveness.

Defense-in-Depth with Rust and Hardening Tools

Ubuntu’s path isn’t just swapping languages; it's part of a layered security strategy:

• Rust’s safety avoids entire bug classes.

• AppArmor/SELinux policies add containment.

• Regular patches for both C- and Rust-based sudo ensure resilience.

Trying sudo‑rs Today

Keen users on Ubuntu 24.04 LTS or 24.10 can install sudo‑rs from the universe repository. Tools like oxidizr simplify swapping between traditional and Rust implementations . Feedback during 25.10's development cycle will shape readiness for LTS adoption.

The Larger Impact

Ubuntu’s shift to sudo‑rs symbolizes a broader movement. Other mission-critical tools—uutils coreutils, findutils, diffutils—are also being recrafted in Rust. As a widely adopted OS, Ubuntu sets precedent: when memory-safe Rust meets systemic security goals, others may follow.

Conclusion

The move to sudo‑rs underscores Ubuntu’s dedication to secure foundations. The daily user won’t notice a change—as sudo remains the same—yet beneath the surface, privilege escalation gains formidable protection. With measured rollout, fallback options, and transparency, Ubuntu is transforming risk into reassurance. And when 26.04 LTS lands in April 2026, millions will wield a leaner, safer root.