Some of the most critical infrastructure on the internet is not a cloud platform or a firewall appliance. It is a single command typed into a terminal: sudo.

The utility known as sudo sits at the precise intersection of identity and authority on Unix and Linux systems. It governs who may assume elevated privileges, under what conditions, for how long, and with what audit trail. For over three decades, its continued reliability has depended largely on the deliberate stewardship of one maintainer: Todd C. Miller.

This is a story about privilege, architecture, and the human sustainability crisis beneath global infrastructure.

The Origin of Privilege Delegation

sudo was first implemented around 1980 at SUNY Buffalo by Bob Coggeshall and Cliff Spencer to solve a fundamental Unix limitation: the binary nature of root authority. Either a user had no administrative power or possessed complete superuser control.

The name originally meant “superuser do.” Over time, documentation shifted toward “substitute user, do,” reflecting a more granular reality: sudo could execute commands as any user, not only root.

In 1994, Todd C. Miller assumed maintainership with the release of CU Sudo 1.3. Under his guidance, sudo transitioned to an ISC-style license in 1999 and underwent significant architectural refinement. His approach has consistently been conservative, correctness-driven, and heavily reviewed, which explains sudo’s long-standing trust within critical infrastructure.

The 1.9 Architectural Transformation

The release of sudo 1.9 in May 2020 marked the most significant redesign in the utility’s history. While version 1.8 introduced plugin extensibility, 1.9 expanded this into a fully modular enterprise framework.

Modular Plugin Ecosystem

The 1.9 architecture separates functionality into distinct plugin classes:

• Policy plugins for authorization logic

• I/O plugins for session recording

• Audit plugins for structured log access

• Approval plugins for Just-in-Time workflows

Python API support enabled plugin development in Python 3 rather than only C, lowering the barrier for security teams to implement context-aware policy logic.

This shift transformed sudo from a configuration-driven command gatekeeper into a programmable policy engine.

Centralized Logging and sudo_logsrvd

One of the most significant enhancements in 1.9 is sudo_logsrvd, a centralized logging service designed to prevent tampering.

If an attacker compromises a host, local logs can be deleted. sudo_logsrvd addresses this risk by streaming event and I/O logs in real time over TLS to a secure log server.

Two operational modes exist:

• Local storage repository

• Relay mode for hierarchical deployments

With support for JSON log formatting, logs integrate directly into SIEM platforms such as Elasticsearch or Splunk, enabling structured analytics and forensic integrity.

This elevated sudo from a local auditing utility to a fleet-wide governance component.

LDAP and Enterprise Scalability

In large environments, managing local /etc/sudoers files becomes untenable.

sudo integrates with LDAP to centralize policy management. Instead of parsing a static file, sudo queries directory attributes such as:

• sudoUser

• sudoHost

• sudoCommand

• sudoOption

• sudoOrder

This allows atomic policy updates and consistent rule enforcement across thousands of hosts.

The result is identity-driven privilege management at enterprise scale.

High-Stakes Vulnerabilities

As a setuid root binary, sudo represents a high-value attack surface.

CVE-2021-3156: Baron Samedit

In 2021, researchers disclosed a heap-based buffer overflow that allowed unauthenticated local privilege escalation. The flaw stemmed from an off-by-one error in argument parsing and had existed in the codebase for nearly a decade.

CVE-2025-32463: Chroot Elevation

In late 2025, a vulnerability in the chroot feature allowed root escalation even when no sudo rules were defined. The fix involved deprecating the chroot option in 1.9.17p1.

These incidents underscore the inherent risks of complex system-level C code handling untrusted input.

The Rise of Memory-Safe Alternatives

The repeated pattern of memory-safety flaws has catalyzed interest in sudo-rs, a Rust-based reimplementation designed to eliminate buffer overflow classes entirely.

While sudo-rs currently supports only a subset of features, its emergence reflects a broader 2026 trend toward memory-safe system utilities.

It represents not a replacement yet, but a strategic direction.

Cloud and Zero Trust Integration

By 2026, privilege management is no longer static.

Cloud providers externalize portions of sudo’s policy model:

• GCP OS Login ties Linux access to IAM roles.

• AWS Systems Manager enables Run As workflows with centralized logging.

Modern models emphasize:

• Zero Standing Privilege

• Multi-factor authentication

• Time-bound access

• Centralized telemetry

sudo 1.9 approval plugins enable Just-in-Time workflows aligned with these principles.

The 2026 Sustainability Crisis

In February 2026, Todd C. Miller issued a public sponsorship appeal.

After corporate sponsorship through Quest Software and One Identity ended in 2024, sudo returned to largely independent maintenance. Despite being foundational to global infrastructure, the project lacked sustainable funding.

Key risks identified:

• Workload imbalance

• Slowed feature development

• No clear succession plan

• Maintainer burnout

This exposed a systemic fragility: the world’s privilege management backbone depended heavily on one individual.

Comparative Philosophy

Alternative tools illustrate different design philosophies:

• su: password sharing, minimal accountability

• doas: minimalist, reduced attack surface

• sudo: feature-rich, enterprise policy engine

• sudo-rs: memory safety with modern language design

Each reflects trade-offs between complexity, extensibility, and risk.

Strategic Lessons

For organizations relying on sudo in 2026:

1. Deploy centralized logging with sudo_logsrvd and TLS

2. Adopt Just-in-Time elevation workflows

3. Evaluate memory-safe implementations for new deployments

4. Sponsor critical open-source infrastructure

Privilege escalation is not merely a technical function. It is an authority architecture embedded in every system.

Why Todd C. Miller Matters

Todd C. Miller’s stewardship demonstrates that correctness in access control is cultural before it is technical.

For over 30 years, sudo has remained trusted because its evolution was deliberate and conservative. Its 1.9 transformation proves that legacy utilities can modernize without sacrificing reliability.

But the 2026 sponsorship crisis revealed a deeper truth:

Critical infrastructure is not only code. It is the people who maintain it.

Humans of Cyber is not just about defenders in incident response rooms. It is about the maintainers of invisible commands that keep authority accountable.

And few commands carry more weight than sudo.

Subscribe and Comment.

Copyright © 2026 911Cyber. All Rights Reserved.

Follow 911Cyber on:

LinkedIn, Substack, X, Instagram, Facebook