Ensure 'sudo' binary used for permission checks isn't user supplied

CHANGELOG.md

@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.9.5] - 2022-09-25
+### Security
+- Ensure `sudo` binary used for permission checks isn't one supplied by the user in the `PATH` variable.
+
 ## [0.9.4] - 2022-09-25
 ### Fixed
 - Ensure cache directories exist before they're used.

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "mist"
-version = "0.9.4"
+version = "0.9.5"
 authors = ["Hunter Wittenborn <hunter@hunterwittenborn.com"]
 description = "The official command-line interface for the makedeb Package Repository"
 edition = "2021"

makedeb/PKGBUILD

@@ -4,7 +4,7 @@
 # `-H 'MPR-Package: yes'` to your `makedeb` call if you want Mist to be able to
 # automatically update itself.
 pkgname=mist
-pkgver=0.9.4
+pkgver=0.9.5
 pkgrel=1
 pkgdesc='The official command-line interface for the makedeb Package Repository'
 arch=('any')

src/util.rs

@@ -335,7 +335,7 @@ pub mod sudo {
     pub fn check_perms() {
         super::message::info("Obtaining root permissions...\n");
 
-        let mut cmd = self::run_as_normal_user("sudo");
+        let mut cmd = self::run_as_normal_user("/usr/bin/sudo");
         cmd.arg("true");
 
         if !cmd.spawn().unwrap().wait().unwrap().success() {
@@ -351,7 +351,7 @@ pub mod sudo {
 
     // Run a command as the normal user declared by [`NORMAL_UID`].
     pub fn run_as_normal_user<P: AsRef<super::OsStr>>(program: P) -> super::ProcCommand {
-        let mut cmd = super::ProcCommand::new("sudo");
+        let mut cmd = super::ProcCommand::new("/usr/bin/sudo");
         cmd.args(["-E", "-n"]);
         cmd.arg(format!("-u#{}", *self::NORMAL_UID));
         cmd.arg("--");