Advantages of 'sudo' Over 'su'?

[Jim Cheetham]

Brett Kirksey wrote:
> I've been curious about this since I run OS X as well. What are
> the advantages of disabling the root account and adding a user
> or group to sudoers with root priveleges? Can a user given the
> same priveleges as root in sudoers do everything that root can?
> If so, why bother disabling root? The sudoer could just type
> sudo su and get the same result as su if root wre enabled?

Well, there is one trivial consequence ... instead of having to guess 
"the root password", an attacker now has to guess "the admin username, 
and the admin password".

Now, that might not be particularly difficult if they know your system, 
but from an external perspective it does make things harder.

In a large multi-user system, of course, sudo can be used to provide 
good granularity, and enable users to run "as root" only *some* 
commands, and not others. This obviously isn't so important for a 
desktop system :-) but it could be good for your other home users 
(spouses, kids) who do need root privs to interact with hardware (ppp 
and so on) but not with other stuff.

One of the prime reasons in my opinion, however, is that it avoids the 
"I can do ANYTHING" interactive login by default - you will be prompted 
for a password before major changes can happen, which might make you 
*think* about the consequences of what you're doing! If you were logged 
in as root, you'd just delete some of those useless folders and not 
realise you were in the wrong directory ... until reboot time ...

If you want a whole shell instead of a command-at-a-time, use "sudo -s". 
That's what I do. On some workstations I even ask sudo to trust me 
without a password ... but on servers, I don't.

-jim