Again, if you're going to be on the system for quite a while and will need root privileges for most of that time, the command "sudo bash" will solve this problem for you. It's effectively the same as su or a login as root. You won't be bothered with a password prompt again until you exit the bash session.

sudo vs su - problem solved for me
 

sudo is okay for a one-shot. For more I have a script named rootwin, which is (on FC6):
PWD=`/bin/pwd`
su -plm -c "xhost +; cd $PWD; gnome-terminal --window-with-profile=Default &" root

Root's default terminal has a coral background, so can't mistake it. Type the password once. (Had to do something slightly sneakier on ubuntu 9.10, I forget what, but same idea). We use rootwin a lot.

An easily customizable alternative /etc/sudoers file for Slackware providing some pretty convenient administrating privileges to those in the root group without them having to have the root password:
If you are using an LDAP for authentication or anything else non-local, you'll want to change all of those 'ALL's to 'localhost.' (Not the first three, of course.)

An alternative package for sudo, enabling all of the insults:
sudo-1.7.4p6-x86_64-1ram.txz

I work full time on Linux since 1998 and strictly login AND work as root
that keeps me awake and forces me to pay attention to what I do
important to me because all my remote controlled servers also need to be managed

sudo is useful for machines with users needing occasional privilege elevation. Disabling root access completely and forcing admin users to repeatedly type their passwords is not only less secure it is also time consuming, particularly when performing many short commands at intervals.

Disabling any remote root logins, limiting login attempts, hardening the system, timing out idle root sessions and using strong passwords (or alternately ssh keys) is far more secure and time effective.

Regarding admins with root access leaving the organization... isn't it about time you changed the root passwords anyway? Or is turnover really that high? ;)

The only that I have for the sudo command is so that I can shutdown my computer from a fluxbox menu.

In almost all other cases I use the su command if I need root privileges. On very rare occasions I log in as root.

against sudo/su: allows to gain root from a compromised otherwise non-privileged user account (Owl)
 

But there are also different arguments:

The designers of the secured OpenWall GNU/*/Linux distro have also expressed critical opinions on `su` (for becoming root) and `sudo`. You might be interested in reading this thread:

[...unfortunately both su and sudo are subtly but fundamentally
flawed.](http://www.openwall.com/lists/owl-users/2004/10/20/6):

Apart from discussing the flaws of `su` and other things, Solar Designer also targets one specific reason to use `su`:

> Yes, it used to be common sysadmin
> wisdom to "su root" rather than login
> as root. Those few who, when asked,
> could actually come up with a valid
> reason for this preference would refer
> to the better accountability achieved
> with this approach. Yes, this really
> is a good reason in favor of this
> approach. But it's also the only one. ...(read more)

In their distro, they have ["completely got rid of SUID root programs in the default install"](http://www.openwall.com/lists/oss-security/2010/11/08/3) (i.e., including `su`; and they do not use capabilities for this):

> For servers, I think people need to
> reconsider and, in most cases,
> disallow invocation of su and sudo by
> the users. There's no added security
> from the old "login as non-root, then
> su or sudo to root" sysadmin "wisdom",
> as compared to logging in as non-root
> and as root directly (two separate
> sessions). On the contrary, the
> latter approach is the only correct
> one, from a security standpoint:
>
> http://www.openwall.com/lists/owl-users/2004/10/20/6
>
> (For accountability of multiple
> sysadmins, the system needs to support
> having multiple root-privileged
> accounts, like Owl does.)
>
> (For desktops with X, this gets
> trickier.)
>
> You also absolutely have to deal with...

BTW, they were to replace `sulogin` with [`msulogin`](http://www.ohloh.net/p/msulogin) to allow the setup with multiple root accounts: `msulogin` allows one to type in the user name also when going into the single user mode (and preserve the "accountability") (this info comes from [this discussion in Russian](http://www.opennet.ru/openforum/vslu.../73378.html#24)).

Sudo 99% of the time, root rarely if ever.

I professionally admin boxes (AIX, IRIX, Linux, FreeBSD, OpenBSD, and Solaris) and follow the same practices on all of them. Always run with the minimum possible permissions, never allow SSH as root. Been doing OS and DB support since before Linux, will continue doing it long after. Even before sudo, it was always the same. Use a 'vanity' account (named user) unless for some reason it is impossible to do so (ultra rare).

Wow! Almost half the people are wrong!

why ?

su & su - ### is great BUT not for ALL and EVERY situation

sudo ### can open up a hole but is BETTER for some situations

log in as root ### good for a few things BUT not for others

use what IS BEST for the situation and need .

What hole does sudo open that having the root password doesn't also open? Sudo can be used in a secure environment in a similar fashion to a setuid root, but with a higher degree of safety (since only users/groups specifically allowed can perform specifically allowed functions).

Unless you mean that "ALL=(ALL:ALL) ALL" type stuff Ubuntu likes to use, which is perhaps just almost the same as logging in as root really. If I use sudo on a machine, it's a ton more restrictive for general users.

- having the root password -

That's a key requirement to logging in as root, which is removed when one uses sudo.

Additionally, it's very difficult to properly secure sudo such that it gives only the functionality desired. For instance, cp/tar/chown/chmod/etc. can all be used to completely own the system if the following is true:

1) I have login to an unprivileged user
2) I have that user's password (if required for the user to sudo)
3) that user is allowed to sudo any one of those commands as root (and they're not completely 100% spelled out)

sudo is VERY powerful, VERY confusing, and VERY often misconfigured. Give me any command where I can write a file as super-user, and your system is mine. Give me any command where I can leak information reserved to a super-user, and your system will probably be mine. And in both of these cases, the audit trail can't even be trusted (unless you log it off the box... you DO log to a separate machine, right?).

Please note: I don't sit on one side or the other of this debate. I know what I use, and I am comfortable with it. There are tradeoffs that will always apply, and make some security objectives unattainable, while providing others. The best you can do is lock down what you can lock down, mitigate what you can mitigate, and keep a vigilant eye towards your systems for any type of suspicious activity. But that's all common knowledge (I think).

Go hang out in Security for a bit and you'll find out just how grotesquely uncommon it is.

These are not commands that should *ever* be allowed in sudo - sudo (on a desktop) is for things like shutdown. On a server, sudo should be configured to allow specifics like 'cancel' or specialty programs that would otherwise be run with setuid. I shudder to think someone would allow cp/tar/chown/chmod etc without specifying the entire command to be issued at the very least.

I'll agree that most people don't configure *most* things properly. I disagree that sudo is difficult to secure :)
This, btw, is the difference between "your neighbor's kid who uses linux" and a professional 80-100k/year sysadmin. Someone on my team here would be fired immediately for something most "good with linux" people wouldn't even notice or care about. Of course, properly secured systems also limit logins to the very fewest possible people, and audit(tripwire, whatever you like to use) every single thing they do. Even things like someone who has permissions modifying a system without proper change control will result in dismissal. Su/sudo by themselves are nothing without the proper framework to fix the underlying *social* issues. Someone caught logging into root bypassing sudosh or other logging measures would be fired on the spot.

For desktops though, the main focus of this forum, the default user having sudo with everything is really no different from having root.

every admin has a own user over ldap. nobody knows root password.
if a admin need privilege access, they can use su - and if the user in the right group then he has root privilege

it's not the wheel group is for every server-group other and will managed over ldap. every su - will be reported
to the moste admin that they know a root is working on a maschine.