6

In /etc/sudoers, there is always:

root    ALL=(ALL:ALL) ALL

However, the root user (with UID 0) doesn't need to enter password when they run sudo command.

For other users, a password is required unless their entry contains NOPASSWD or a previous authentication hasn't timed out:

user    ALL=(ALL:ALL) NOPASSWD:ALL
                      ^^^^^^^^
iBug
  • 3,428
  • 1
  • 24
  • 57
  • This is a bit weird actually. Even though you'd usually use `sudo` to run commands as UID 0, and root is already UID 0 and there's nothing to gain by stopping them, `sudo` still requires the config line for `root` to be there. Without it, it tells even root to bugger off. – ilkkachu Mar 25 '19 at 10:37
  • Cause it is `root`. What would you gain running `sudo` as root? "Beyond Root"? "Who watch the Watchmen?" –  Mar 25 '19 at 14:28

2 Answers2

6

sudo allows users to execute commands as UID 0 (or other users) based on how it’s configured. There is no need to ask root for a password to run a command as UID 0, because it already is UID 0.

Furthermore, root can also su to anyone it’d like, so there’s no need to prompt for a password when executing sudo -u user as UID 0.

Note: I do believe there is a PAM setting that will even require root to provide a password for the target user when using su.

Peschke
  • 4,028
  • 2
  • 16
  • 30
3

While this is an interesting inconsistency. It would be pointless in stopping root, as root has capabilities CAP_SETUID and CAP_SETGID, so does not need sudo. It can do what ever it want.

If sudo is checking root, and not these capabilities, then there may be a latent-bug: root with no capabilities could escalate (I don't know I have not looked at the code, or tested).

ctrl-alt-delor
  • 27,473
  • 9
  • 58
  • 102