How is sudo safer than directly using su if the user is granted access to all commands?
Personally I do not necessarily consider it safer and most of the benefits (of sudo) are on a multi user system. On a single user system it probably is a wash.
The benefits are (in no particular order):
- sudo has superior logging. sudo logs each command.
- sudo allows finer grain control. One can configure sudo to give root access to some but not all commands.
- sudo uses the login password. This protects having to give the root password (as you would with su) and is related to the point above regarding finer grained control / access to root.
- In Ubuntu, by default, the root account is locked. This deters crackers as to log in (remote via say ssh) they have to guess both a user name and a password. If the root account is not locked, as is the case with su, then they only need to crack root's password.
sudo -iis probably the best method to isolate root's environmental variables from your user. This comes up from time to time but is moderately esoteric. See https://help.ubuntu.com/community/RootSudo#Special_notes_on_sudo_and_shells- some people feel that having to type sudo before every command they wish to run as root or having sudo time out allows them to stop and think more clearly and reduces their errors or running erroneous commands. If doing so helps you that would be a benefit as well.
There are probably more benefits , but, those are the major ones, IMHO.
See also - https://help.ubuntu.com/community/RootSudo
To try to answer some of your other thoughts:
- There is nothing about either su or sudo that prevents you running malicious code as long as you know the password. Neither is safer or better.
- Crackers can obtain shell access via a number of methods. When you see "run arbitrary code" in a security notice - https://usn.ubuntu.com/usn/ - that means a cracker can run /bin/bash or any other code. Thus a cracker, via various exploits, can obtain shell access without knowing your login name or password. Neither sudo or su helps with this.
- If a cracker has shell access they can do a lot of damage without root access. For example the ransomware that encrypts all your personal data.
- If a cracker has shell access to an account with root access, via either su or sudo, the cracker can obtain root access via a number of methods beyond the scope of this discussion. Neither sudo or su is superior in this respect either.
So while you have observed problems or flaws with sudo, su has the exact same vulnerabilities and su is not superior to sudo in those aspects, IMHO
Imagine you have 20 minutes to do something complex. You’re a bit hungover and you have to rush. “Let’s use su” you say. “It’ll save some time” is your reasoning.
By accident you type
rm -rf /*
instead of
rm -rf ./*
Your system is now bricking itself and you have 10 minutes until your deadline.
If you explicitly choose when you need root, you can minimise the chance of this happening. Root might not be needed for rm -r ./* so why use it? Why take the risk?
That’s what “safety” means here. Minimising the risk of users (all users, not just beginners) making a fatal mistake.
Of course, this is an extreme example that shouldn’t be allowed to happen in a production environment (I guarantee it has happened in a prod environment).
Security wise there’s some stuff that sudo is better for too. As @Panther says - logging, restrictions, root password is SPOF, etc.)
I want to add a bit of historical perspective to the other answers. Unfortunately, I do not have any sources ready except for my own memories of Usenet discussions and magazine articles.
Some time ago, in the 1990s, distributions were making it easier to install Linux on your own hardware, even with not much computer knowledge.¹ Thus, Linux started to attract more and more people that surprisingly had not previously been drilled as system administrators on some UN*X dialect. Instead, many were used to (single user) systems like Windows 95/98. And they learned that most Linux system administration tasks made it necessary to work under that strange "root" account.
Thus, some users just logged in as root and used that account for all their daily work. Why should they have to type su and the root password again and again or login into a new tty just for some admin commands? But using root for everything is of course not a good idea, as you could do a lot more harm to your system with some unmindful command in the wrong place. This even led some distro (was it SuSE?) to modify the desktop background for the root user to display a big warning that you should use that account only for admin tasks.
So, the Ubuntu way with sudo has some advantages (in addition to those already listed by Panther).
- You cannot directly login to the root account.² :-)
- The installation process will not ask you for an (additional) root password, you need only one (your user's) password.
sudocaches your credentials, so for multiple admin commands in sequence, you only have to enter your password once (in contrast tosu). This reduces the urge to just open a shell or a new terminal with root privileges.- And it makes it easier to tell users online and in documentation which commands they have to enter as admin and which not.³
¹ And for those not daring to do it themselves, there were install parties.
² But you can use a command like sudo -i or sudo su - root to get a root shell after you logged in as a normal user.
³ But you know of course that you should not simply copy&paste commands from the Internet, right?