And even in the scenario where you "forget the root password" you could create one of your other users with the ability to do "sudo su -". This would require them to enter THEIR password but then put them at the root prompt at which point they could reset root's password. Obviously you woulldn't want to give this "su -" capability to a lot of people.

The deal is if you trust your "co-admin" enough to give him an suid 0 account then you might as well give him the root password itself because he'll have as much authority on the system (including the ability to change root's password) either way. Therefore adding a second suid 0 account just gives you another account to remember to make changes to if you're doing something to tighten down root itself - why add to your admin burden for no reason?

Its your system so you can do what you want. You're just getting the input of folks that have done this for years trying to explain why its a bad idea and let you know other ways to accomplish what you want without further compromising your security.

Thanks guys for sharing the information you all had gathered
Thanks to blindcoder for teaching with an example.

I am happy

I have another similar question. I would like to set up cron-jobs for a a user who needs root-privileges. But I can´t use the root-user himself because the user have to have German as local-language, and the root has english. I cannot change the root-language because I would then get other problems.
I hope that I´m clear. The problem is that with cron-jobs, I can´t use sudo. How do I get then a root user?

XpucTo

Actually, you can.
Enter this into the visudo command:
That way the user "blindcoder" may run the command "/path/to/command" using sudo without having to enter a password.

Greetings,
Benjamin

xpucto - I'd suggest you start a new thread with your question. It is likely to get more exposure as it will show 0 replies.