There are two commands related to root privileges, SUDO and SU. With SUDO, you don't become another user (including root). SUDO has a pre-defined list of approved commands that it executes on your behalf (this addresses what I asked in the comment about how you give selected users selective privileges). Since you are not becoming root or another user, you just authenticate yourself with your own password.

This is incorrect. The biggest difference between su and sudo is that you enter your own password instead of the target user's password, and that sudo is more flexible. Both of them's whole point is leting you become another user. su can run a specific command and sudo can start an interactive shell, they just have different default modes.

Most commonly you have a group, conventionally named wheel, that is allowed to run any command as any user. Sometimes you want to restrict a user to only run a specific command as a specific user though, and this is what's more flexible about sudo compared to su.

With SU, you actually become root or another user. If you want to become user Bob, you need Bob's password. To become root, you need the root password (which would be defined on a multi-user system).

You can become any user with sudo too, with your own password, provided that the rules in /etc/sudoers are set up to allow you to. sudo lets you restrict the command a user can run tho, yes, and prevents you from having to disclose the passwords of specific users, or even not having a password at all on specific users disallowing regular logins.

If you become root, you have access to everything. Anyone not authorized to access another user's account would not be given the root password and would not have SUDO definitions allowing it.

This all makes sense until you look at something like [this link][1], which is a tutorial for using SUDO -V and then SUDO SU - to become root using only your own password.

If any user can become root without the root password, what mechanism protects user files from unauthorized access? [1]: http://home.ubalt.edu/abento/linux/terminal/sudo.html

First of all, sudo -V prints the version of your sudo binary, and sudo -v validates the cached credentials and are irrelevant to the later part.

Second, sudo su is a rather silly thing to do because there is already a sudo option to start an interactive shell as the specified user (sudo -i), and running one privilege authorization tool (sudo) to run another privilege authorization tool (su) is really silly.

Third, "any user" should definitely NOT be able to become root. If they can your whole system is completely unsecured. the root user is all powerful and can do anything at all, and running a command as root is only one of the uses of sudo, it's a general authorization tool which can let a specific user run a specific command as a specific user.

There are two commands related to root privileges, sudo and su. With sudo, you don't become another user (including root). sudohas a pre-defined list of approved commands that it executes on your behalf (this addresses what I asked in the comment about how you give selected users selective privileges). Since you are not becoming root or another user, you just authenticate yourself with your own password.

This is incorrect. The most obvious difference between su and   sudo is that the latter is usually configured to ask for your own password instead of the target user's password, and that sudo is more flexible. Both of them's whole point is leting you become another user. su can run a specific command and sudo can start an interactive shell, they just have different default modes.

Most commonly you have a group, conventionally named wheel, that is allowed to run any command as any user. Sometimes you want to restrict a user to only run a specific command as a specific user though, and this is what's more flexible about sudo compared to su.

With su, you actually become root or another user. If you want to become user Bob, you need Bob's password. To become root, you need the root password (which would be defined on a multi-user system).

You can become any user with sudo too, with your own password, provided that the rules in /etc/sudoers are set up to allow you to. sudo lets you restrict the command a user can run tho, yes, and prevents you from having to disclose the passwords of specific users, or even not having a password at all on specific users disallowing regular logins.

If you become root, you have access to everything. Anyone not authorized to access another user's account would not be given the root password and would not have sudodefinitions allowing it.

This all makes sense until you look at something like [this link][1], which is a tutorial for using sudo -V and then sudo su - to become root using only your own password.

If any user can become root without the root password, what mechanism protects user files from unauthorized access? [1]: http://home.ubalt.edu/abento/linux/terminal/sudo.html

First of all, sudo -V prints the version of your sudo binary, and sudo -v validates the cached credentials and are irrelevant to the later part.

Second, sudo su is a rather silly thing to do because there is already a sudo option to start an interactive shell as the specified user (sudo -i), and running one privilege authorization tool (sudo) to run another privilege authorization tool (su) is really silly.

Third, "any user" should definitely NOT be able to become root. If they can your whole system is completely unsecured. the root user is all powerful and can do anything at all, and running a command as root is only one of the uses of sudo, it's a general authorization tool which can let a specific user run a specific command as a specific user.

There are two commands related to root privileges, SUDO and SU. With SUDO, you don't become another user (including root). SUDO has a pre-defined list of approved commands that it executes on your behalf (this addresses what I asked in the comment about how you give selected users selective privileges). Since you are not becoming root or another user, you just authenticate yourself with your own password.

This is incorrect. The biggest difference between su and sudo is that you enter your own password instead of the target user's password, and that sudo is more flexible. Both of them's whole point is leting you become another user. su can run a specific command and sudo can start an interactive shell, they just have different default modes.

Most commonly you have a group, conventionally named wheel, that is allowed to run any command as any user. Sometimes you want to restrict a user to only run a specific command as a specific user though, and this is what's more flexible about sudo compared to su.

With SU, you actually become root or another user. If you want to become user Bob, you need Bob's password. To become root, you need the root password (which would be defined on a multi-user system). IF you become root, you have access to everything. You restrict access to other users' accounts via SUDO definitions and who has the root password.

You can become any user with sudo too, with your own password, provided that the rules in /etc/sudoers are set up to allow you to. sudo lets you restrict the command a user can run tho, yes, and prevents you from having to disclose the passwords of specific users, or even not having a password at all on specific users disallowing regular logins.

This all makes sense until you look at something like [this link][1], which describes using SUDO -V and then SUDO SU - to become root using only your own password. So how are user files protected if any user can become root? [1]: http://home.ubalt.edu/abento/linux/terminal/sudo.html

First of all, sudo -V prints the version of your sudo binary, and sudo -v validates the cached credentials and are irrelevant to the later part.

Second, sudo su is a rather silly thing to do because there is already a sudo option to start an interactive shell as the specified user (sudo -i), and running one privilege authorization tool (sudo) to run another privilege authorization tool (su) is really silly.

Third, "any user" should definitely NOT be able to become root. If they can your whole system is completely unsecured. the root user is all powerful and can do anything at all, and running a command as root is only one of the uses of sudo, it's a general authorization tool which can let a specific user run a specific command as a specific user.

There are two commands related to root privileges, SUDO and SU. With SUDO, you don't become another user (including root). SUDO has a pre-defined list of approved commands that it executes on your behalf (this addresses what I asked in the comment about how you give selected users selective privileges). Since you are not becoming root or another user, you just authenticate yourself with your own password.

This is incorrect. The biggest difference between su and sudo is that you enter your own password instead of the target user's password, and that sudo is more flexible. Both of them's whole point is leting you become another user. su can run a specific command and sudo can start an interactive shell, they just have different default modes.

Most commonly you have a group, conventionally named wheel, that is allowed to run any command as any user. Sometimes you want to restrict a user to only run a specific command as a specific user though, and this is what's more flexible about sudo compared to su.

With SU, you actually become root or another user. If you want to become user Bob, you need Bob's password. To become root, you need the root password (which would be defined on a multi-user system).

You can become any user with sudo too, with your own password, provided that the rules in /etc/sudoers are set up to allow you to. sudo lets you restrict the command a user can run tho, yes, and prevents you from having to disclose the passwords of specific users, or even not having a password at all on specific users disallowing regular logins.

If you become root, you have access to everything. Anyone not authorized to access another user's account would not be given the root password and would not have SUDO definitions allowing it.

This all makes sense until you look at something like [this link][1], which is a tutorial for using SUDO -V and then SUDO SU - to become root using only your own password.

If any user can become root without the root password, what mechanism protects user files from unauthorized access? [1]: http://home.ubalt.edu/abento/linux/terminal/sudo.html

First of all, sudo -V prints the version of your sudo binary, and sudo -v validates the cached credentials and are irrelevant to the later part.

Second, sudo su is a rather silly thing to do because there is already a sudo option to start an interactive shell as the specified user (sudo -i), and running one privilege authorization tool (sudo) to run another privilege authorization tool (su) is really silly.

Third, "any user" should definitely NOT be able to become root. If they can your whole system is completely unsecured. the root user is all powerful and can do anything at all, and running a command as root is only one of the uses of sudo, it's a general authorization tool which can let a specific user run a specific command as a specific user.