Arch Linux User Repository

Since version 0.2.2-2, this PKGBUILD mistakenly sets the suid / sgid bit to the visudo-rs binary which (under certain / specific circumstances) can therefore be exploited to read, write and create any file on the system without any privilege requirement.
This includes creating drop-in sudo configuration in /etc/sudoers.d or editing the main /etc/sudoers configuration which, as a side effect, will mess with the permission of the file, preventing anyone to use sudo on the system anymore.

This has been fixed in version 0.2.3-5.
For anyone running this package prior to version 0.2.3-5, it is highly advised to update as soon as possible.

@woodsb02 Seems like it, indeed.

@Antiz do you think this suid/sgid packaging issue also caused this issue? https://github.com/trifectatechfoundation/sudo-rs/issues/1001

Since version 0.2.2-2, this PKGBUILD mistakenly sets the suid / sgid bit to the visudo-rs binary which (under certain / specific circumstances) can therefore be exploited to read, write and create any file on the system without any privilege requirement.
This includes creating drop-in sudo configuration in /etc/sudoers.d or editing the main /etc/sudoers configuration which, as a side effect, will mess with the permission of the file, preventing anyone to use sudo on the system anymore.

This has been fixed in version 0.2.3-5.
For anyone running this package prior to version 0.2.3-5, it is highly advised to update as soon as possible.

I tried to replace sudo with sudo-rs, and it did not work, the following errors come

sudo-rs: invalid configuration: No such file or directory (os error 2)

so it does not provide a sudoers file, i made a copy of the sudoers provided by sudo, then the following error comes

sudo-rs: cannot open sudoers file /etc/sudoers.d
sudo-rs: PAM error: PAM returned an error (AuthError): Authentication failure

so i also copied the /etc/pam.d/sudo file from sudo, and also created the /etc/sudoers.d

I think these files can be provided by PKGBUILD

Also, why is Clang required, can this be any standards compliant c compiler (most people already have gcc)

@kemelzaidan That should not be true. All installed binaries have names that ends with "-rs" to awoid a conflict.

My understanding is that his package conflicts with the original sudo, doesn't it? And that should be in the PKGBUILD. Am I wrong?

@taotieren Yes please.

@svinto Thanks for the feedback, it's been fixed, would you like to be added to the co-maintainers?

It seems the sudo-rs provided binaries are not fully compatible with Arch distribution. The -i (--login) option does not work.

Ref: https://github.com/memorysafety/sudo-rs/issues/832#issuecomment-1994101988

I see two ways to fix this in this AUR:

1. Copy/symlink the sudo PAM module: cp /etc/pam.d/sudo /etc/pam.d/sudo-i

2. Compile sudo-rs instead of using the provided binaries, and patch the following line to never use "sudo-i": https://github.com/memorysafety/sudo-rs/blob/ebd3e60024b88c4506da69b86a96a4ec694d3c04/src/sudo/pam.rs#L114

Currently the setuid and setgid are not set for the binaries due to a bug in package() in PKGBUILD.

Code like this is invalid:

[ -f "$file" = "sudo" ]

Changing it to this should make it work:

[[ -f "$file" || "$file" = "sudo" ]]