Technical Beauty — Episode 34 Open the sudo CHANGELOG and search for the word "security". Make a cup of tea first. The list is rather long for a tool whose entire job is to ask three questions: who are you, what would you like to run, and may you. In July 2015, Ted Unangst grew tired of negotiating with the sudo configuration on OpenBSD and wrote his own. He called it doas: dedicated OpenBSD application subexecutor. It was imported into the OpenBSD CVS tree on 16 July 2015 and shipped as the default privilege-escalation tool in OpenBSD 5.8 in October 2015, replacing the sudo package that had been the standard until then. The codebase today is roughly 1,100 lines of C plus a small yacc grammar. A Short Origin Story Ted Unangst's stated reason was personal. The default sudo configuration on OpenBSD had a "safe environment" rule that decided which shell variables were safe to forward to the elevated process.…