The following system change proposal has been submitted to the Technical 
Steering Committee.  If you are interested, please comment on 
https://gitlab.alpinelinux.org/alpine/tsc/-/issues/1 so that the TSC can 
consider your feedback.

===

## Summary

At present, `sudo` is in the `main` repository, which requires us to 
provide security support for 2 years.  Upstream `sudo` does not provide an 
"LTS" lifecycle, so this requires either performing security upgrades 
during the maintenance lifecycle, or backporting security fixes by hand.

## Benefit to Alpine

Prior to the creation of the security team, there was an unofficial 
preference to push `doas` as the preferred pivot tool for Alpine.  This 
reinforces that messaging.

Additionally, we do not have to support `sudo` for a 2 year lifecycle, 
since there are no LTS branches for it.

## Contingency Plan

If there is a problem with implementing this plan, we will move `sudo` 
back to `main` from `community`, but no such problem is expected.

## Documentation

This will need to be documented in the release notes.  We should recommend 
`doas` as the preferred pivot tool, noting that `sudo` is available in 
`community` if explicitly wanted.

## Owners

@kdaudt and @kaniini will implement this change on behalf of 
@team/security.

## Timeline

We would like to implement this change within the next few weeks, with TSC 
approval.

===

Ariadne

Hi,

Ariadne Conill <ariadne@dereferenced.org> wrote:
> ## Documentation
>
> This will need to be documented in the release notes.  We should recommend 
> `doas` as the preferred pivot tool, noting that `sudo` is available in 
> `community` if explicitly wanted.

I am all for replacing sudo with something else. The problem I have with
doas is that there is presently no official port to Linux by the OpenBSD
folks so we would probably just end up recommending installation of
OpenDoas (main/doas) [1] which is not an official port/project from
OpenBSD project.

Porting doas from OpenBSD to Linux is actually not that trivial. For
instance, Linux does not have the TIOCSETVERAUTH ioctl used by OpenBSD's
doas version for persisting authentication [2]. For this reason,
OpenDoas disables the persist feature by default and refers to their
optional persist implementation as "new and potentially dangerous", we
presently enabled this "potentially dangerous" code by default btw
(--with-timestamp). Similarly, Linux also does not have other library
functions used by OpenBSD's doas version such as setusercontext [3] and
there is just a possibly for vulnerabilities to occur in the portability
layer of OpenDoas. For example, see CVE-2019-25016 [4] where the
LOGIN_SETPATH setusercontext flag was not correctly mimicked in
OpenDoas.

In my view OpenDoas actually deviates quite heavily from the original
OpenBSD doas codebase which is why I am personally still using sudo.
There are also somewhat "simpler" ports, for example the oasis patchset
by Michael Forney [5] though it is also subject to the problem outlined
above [6].

I think OpenDoas is a great project, I am just unsure if we really want
to recommend it by default given the fact that it requires suid and is
an unofficial port.

> Additionally, we do not have to support `sudo` for a 2 year lifecycle,
> since there are no LTS branches for it.

Please not that OpenBSD upstream also only offers support for 1 year,
i.e. the two most recent releases [7].

On a side note: There is also some interesting research which allows
implementing a sudo-like utility on Linux without requiring suid
binaries [8]. Unfortunately, while the Linux kernel module required for
this approach was in upstream staging for a while it has been removed a
long time ago [9].

Greetings,
Sören

[1]: https://github.com/Duncaen/OpenDoas
[2]: https://man.openbsd.org/tty.4#TIOCSETVERAUTH
[3]: https://man.openbsd.org/setusercontext
[4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25016
[5]: https://github.com/oasislinux/oasis/blob/dce7387ae2c7293204031c7698d2fca5995e3f84/pkg/openbsd/patch/0015-doas-Port-to-linux-musl.patch
[6]: https://github.com/oasislinux/oasis/commit/6dfea0c1af69f11b41fba979746b5615a5ec477b#r49125998
[7]: https://www.openbsd.org/faq/faq10.html#Patches
[8]: https://doi.org/10.1145/1400097.1400101
[9]: https://github.com/torvalds/linux/commit/2d629030ca649bd4a7356befedbe7bbefa840b21