What hole does sudo open that having the root password doesn't also open? Sudo can be used in a secure environment in a similar fashion to a setuid root, but with a higher degree of safety (since only users/groups specifically allowed can perform specifically allowed functions).

Unless you mean that "ALL=(ALL:ALL) ALL" type stuff Ubuntu likes to use, which is perhaps just almost the same as logging in as root really. If I use sudo on a machine, it's a ton more restrictive for general users.

- having the root password -

That's a key requirement to logging in as root, which is removed when one uses sudo.

Additionally, it's very difficult to properly secure sudo such that it gives only the functionality desired. For instance, cp/tar/chown/chmod/etc. can all be used to completely own the system if the following is true:

1) I have login to an unprivileged user
2) I have that user's password (if required for the user to sudo)
3) that user is allowed to sudo any one of those commands as root (and they're not completely 100% spelled out)

sudo is VERY powerful, VERY confusing, and VERY often misconfigured. Give me any command where I can write a file as super-user, and your system is mine. Give me any command where I can leak information reserved to a super-user, and your system will probably be mine. And in both of these cases, the audit trail can't even be trusted (unless you log it off the box... you DO log to a separate machine, right?).

Please note: I don't sit on one side or the other of this debate. I know what I use, and I am comfortable with it. There are tradeoffs that will always apply, and make some security objectives unattainable, while providing others. The best you can do is lock down what you can lock down, mitigate what you can mitigate, and keep a vigilant eye towards your systems for any type of suspicious activity. But that's all common knowledge (I think).

Go hang out in Security for a bit and you'll find out just how grotesquely uncommon it is.

These are not commands that should *ever* be allowed in sudo - sudo (on a desktop) is for things like shutdown. On a server, sudo should be configured to allow specifics like 'cancel' or specialty programs that would otherwise be run with setuid. I shudder to think someone would allow cp/tar/chown/chmod etc without specifying the entire command to be issued at the very least.

I'll agree that most people don't configure *most* things properly. I disagree that sudo is difficult to secure :)
This, btw, is the difference between "your neighbor's kid who uses linux" and a professional 80-100k/year sysadmin. Someone on my team here would be fired immediately for something most "good with linux" people wouldn't even notice or care about. Of course, properly secured systems also limit logins to the very fewest possible people, and audit(tripwire, whatever you like to use) every single thing they do. Even things like someone who has permissions modifying a system without proper change control will result in dismissal. Su/sudo by themselves are nothing without the proper framework to fix the underlying *social* issues. Someone caught logging into root bypassing sudosh or other logging measures would be fired on the spot.

For desktops though, the main focus of this forum, the default user having sudo with everything is really no different from having root.

every admin has a own user over ldap. nobody knows root password.
if a admin need privilege access, they can use su - and if the user in the right group then he has root privilege

it's not the wheel group is for every server-group other and will managed over ldap. every su - will be reported
to the moste admin that they know a root is working on a maschine.