That's correct, and is the case with some other distributions than Ubuntu as well. Ubuntu's policy is to have root account locked (for example have an exclamation mark in the shadow file's password field) for security reasons. That's a very good policy, especially if the user is new to the world of UNIX, and doesn't necessarily know enough of securing the system. Shortly said, locking the root account is a move that prevents several "easy" cracking methods, one being brute-force password attack against root account. Well, anybody can read about security and understand that after reading; some older users (and some that don't understand the case well) tend to "enable" the root account again, but that's their headache to re-secure the system after it.
Ubuntu grants sudo privileges for the first user (that is created during setup), all users after that don't get those privileges unless configured so. It means that even though the root account is locked, the first user created during setup can run commands with root privileges by running sudo command_name
. The default configuration of sudo for that user is pretty excessive, that user can do anything. He can even get a root login by
or a few other ways, like running a shell. It's not a bad idea to restrict the rights after the initial setup, to make things more secure. However, other users created after setup don't get a permission to use sudo, so they can't do "root things". To enable them do so, one can edit /etc/sudoers configuration file and add the appropriate commands there, that the users need to be able to run as root. Note: if you let them run a shell, su, or things like that, they get unlimited root-privilege access and can breach the whole system in a few seconds - so be careful. In Ubuntu sudo is configured so that you're asked for your password the first time you run 'sudo', and after that the system "remembers you" for a moment, so you can run several sudo commands (if you don't wait for too long between them) and are not asked for the password all over again, until a certain time period has passed.
The good sides of sudo are really something. In the past people either logged in as root, or logged in and issued "su" to become root, to do root things. On a machine with several admins several people used "su", thus several people had to know the root password. If anybody of them did something nasty, logs (if any - they could be cleared because of unlimited root powers) showed just that "root" had done something, but couldn't tell which
one of the users did it (not without some configuration). Instead, if people now use sudo, none of them need to know root password because sudo asks for the user's own password - administrator can configure strictly what the users can run with sudo, so they can be controlled more easily. Every user runs the commands with their own loginname, which helps seeing what happens. On the web there's much more information about sudo and how to use it efficiently and securely, better read it. I strongly advice using sudo instead of su if you're a new user, the system has more than one user account, or in any other case.
Here are a few examples:
1) Unlock root account - set a known valid password for it
2) See what iptables rules are set (needs root privileges)
sudo /sbin/iptables -L
3) Become root, even if root account is "locked" and can't be logged into from login (leave the dash "-" off, to preserve own environment)
4) Configure sudo (you might need to add the users to group 'sudo' in addition)
sudo vi /etc/sudoers
Hope it helps - have fun, and don't trash your machine by advertising your root password. Try to avoid logging in as root, try to avoid using X as root and try to avoid using 'su' for root things if you can; try to learn to use sudo, it's really easier, faster and more secure.