When I try to execute a command using sudo; example- the terminal asks for the password for authentication. Once the authentication is over, it is then that the command is executed.

However when I write and hit enter, it directly puts me in root mode without asking for authentication.

If it not a loophole in command? Why does it not ask for the password?

Check the config for sudo in /etc/sudoers (use the visudo command, not a normal text editor), it may be that someone has configured sudo to behave that way (which is a very bad idea).

That is the way sudo is setup on your system, for a short period of time no need for a PW. See man sudoers, option passwd_timeout

Are you sure it's not timestamp_timeout ?

Your right

John

I have Xubuntu until I close the xterminal that I used sudo in, will retain the password untill closed. I don't know how long it remains that way as I usually close the xterminal as soon as I'm done running sudo commands. If I open a second xterminal and the first terminal is still open after running sudo on the first terminal, the second xterminal will ask for the password initially also.

I don't use Ubuntu often but my experience with a terminal is the same as described by colorpurple 2159. Open a terminal and enter any command requiring sudo and a password is needed. Using the same terminal for another command requiring sudo whether to open a text editor, file manager, web browser or any other action does not ask for a password. Close the terminal, open a new one and the first sudo option will again demand a password.

Actually, sudo su is a gaping security-hole(!!) on a great many systems, including nearly all of the Macintoshes that you see being used at any-and-every coffee shop.

(So much for Macs being "immune to exploits" ...)

Most-unfortunately, I typically find that this command works on most Linux and Unix systems that I encounter. If I am able to use sudo at all, I find that I can usually issue sudo su, and thereby gain full root privileges using nothing more than my own(!!) password ... even if (as usually is the case with OS/X) "the actual root user is disabled."

"Heh..." ( ... ) "reckon it don' matter much whether-or-not I actually am root, if I find that I can do everything he does, using nothing-more than my password!"

Yep. Apple, of all companies on this planet, should know better. But apparently they don't. (And, equally apparently, the vast majority of "Linux distro" authors don't seem to, either.) Guess this must qualify as a "dirty little secret."

I haven't tried it lately but I have changed roots password with sudo su in Ubuntu.

The big issue here is that "root" is dangerous. For security many modern distros lock out the root account during install and the first user account that is created is an Admin account. User account with sudo access. The big problem hear is that many users, myself included use weak/no passwords for there user(Admin) account. Since "root" was locked out for security purposes sudo is configured to ask for the user's password. This allows users to run commands that require root access using sudo(Switch User and DO command) or run su(Switch User) This is actually less secure due to most users having weak/no password for their user account. Then there is the "Lazy" feature that allows sudo to remember your authentication and allows you to run sudo without requiring a password for a configurable amount of time. This feature only works for the current login session Each terminal window you open will be a new session and thus require your password the first time you run sudo or su. One of the reasons I don't like ubuntu or any modern distro that locks out root for security. on my Fedora 21 install I have a strong password for "root" and weak password for my account. none of my users have access to sudo and any attempt to run sudo will fail with a warning that you are not a member of sudo and thus will be reported to root. If I run su as a user then I am asked for the roots password not my weak password.

Root is not dangerous. Root is a fundamental and useful basic design concept in Unix-like operating systems.

Lack of knowledge about basic concepts, including root, coupled with a willingness to blindly try things anyway is dangerous - in any sphere!

Willingness of some distro developers to reinforce, rather than fix this lack of knowledge, disabling root accounts and misusing and abusing sudo in an effort to create some new and ill-defined category of user called "Admin" only makes matters worse.

Root is a design constraint, learn why and how it works.

Sudo is a useful and safe tool when used properly, learn how to use it properly.

The title of this whole thread is misleading. Sudo, su , and the root account are NOT dangerous. What is dangerous is the way these are being used to make system administration more convenient and less secure. This is no loop hole, just poorly done administration of Linux systems to simplify Linux for people who do not care to learn how to actually use Linux properly.

For anyone still confused: you don't actually need sudo. Learn a bit about system security.

That statement may or may not be true, depending on the environment. While on single user desktop systems one certainly does not have a need for sudo other than convenience, this might not be true in environments where different users need to have access to different administrative tasks without having full root access.

True. I was assuming based on the context of previous replies that we are talking about single user desktop or laptop systems. I have in the passed configured a server to use sudo to allow a limited set of commands to a administrative database user, a user to manage Apache, or a user that strictly handles software updates / installation.

In general though for laptops or desktops sudo isn't imperative to operation. Most definitely sudo SHOULD NOT be set up to allow root access without a password. The one exception to passwordless sudo root access is on a Live image like a live cd or live usb disk. The only reason a live image should allow this is if the file system is mounted read only, and most of these types of images are booted read-only. This prevents permanent system compromises since writing to disk is impossible.

This is correct behaviour as opening a new terminal starts a new shell with a new sudo timeout, there is little or no interaction between the two terminal sessions under normal circumstances, for instance set a variable in the first terminal and then open a second and the variable will not be defined, depending on how you open the second terminal.