On the tradeoffs involved in the sudo no-password period:

My experience (of my own practice and what I've seen of others') is that with su, people are much more likely to open a root shell, rather than using su to run individual commands as root. The reason is obvious: If it turns out you need to run a series of commands as root (and it often does, even if you didn't know it when you entered the first one), it's cumbersome to have to type the root password for each one.

But with sudo, it's easy enough to prefix each command in a series with "sudo ", so there is much less reason to open a root shell.

The consequent danger with su is that people leave terminal windows lying around with root shells open on various machines. The sudo no-password period is better in that it ends automatically, and its status is not obvious from the shell prompt.

The weblog post mostly deals with the situation where you have only one group of people, and they become <root> (and only <root>) via either su or sudo.

There is also the situation where there are multiple groups (DBAs, Web Team, Storage, etc.) in an organization, and you want to give elevated access to some things, but not give out the <root> password. In smaller shops where everyone does everything (like in the author's case?), and has the password anyway, it's not a big difference between the two utilities. But if there's a Web Team, you can allow them to sudoedit the Apache configuration and restart via /etc/init.d/apache without giving them the keys to the proverbial kingdom.

This could also work with grad students and researches where a system/VM/instance has been provided to them to work on something, but they'll blow their leg off if given too much power. With power (ideally) comes responsibility, and many folks don't want that full responsibility and are quite happy to have limited access. (And then there are the folks who want full power, but no responsibility—sigh.)

There is also the case of "service accounts": if there is a <myapp> user (or <tomcat>, <postgres>, etc.) that an application runs under, we've found it advantageous to use sudo instead of su for them. The password for the service account is blocked in the shadow(5) (or LDAP) and so logins are not possible via SSH or su, but we allow certain folks/groups (and even ourselves) to become that service account for the work involved. This forces folks to SSH in as themselves and then become the service account—which helps with auditing. It's certainly possible to block logins via DenyUser in sshd-config(5), but it'd be a hassle to manage that for many machines. Similarly many service accounts are created during package installation with /bin/nologin as the shell and you may not want to change that, so a sudo -s can work.

As "David" also mentioned: with su people tend to run it once and have the shell that way—perhaps even jumping from system to system, so you get last entries that have <root> coming in from a remote IP: who exactly came in? The caching with sudo is good in that it allows one to stay as the "safe" regular account for most things, and only become elevated when needed.

The other things about sudo is that its configuration can be put into LDAP, and so if you want to make an access change you only have to hit one place to update things (the sudoHost attribute in a particular DN). If you use su with service accounts, you may possibly have to keep passed(5) and shadow(5) accounts synced.

There's also password changes (especially for service accounts). If someone leaves (either the organization or even just the group), if su is used everywhere then the password has to be changed everywhere; if sudo is used then their account can simply be locked (or removed from the sudoUser attribute). At one place I worked everyone used su to get to <root> and so the password was ingrained in muscle memory, therefore changes of staff were semi-painful because the shadow(5) file had to be updated everywhere (but this was scripted, so it wasn't that bad). In another place I worked at sudo was used, so while we still changed the <root> password, it wasn't as annoying because you just kept using your own password.

For the the last point: at that second organization I actually kept having to look up the <root> password from our password vault in certain cases (single-user boot) since I could never remember it because I used it so infrequently.

@David Magda: I talked about what I saw as the other uses of sudo in the earlier entry, SudoThreeFaces. In this entry I wanted to focus purely on the 'sudo as the sysadmin replacement for su' face of sudo. I agree that sudo has significant uses for other cases and a better security model for them than alternatives like ahdn written setuid cover programs.

Use of su versus direct logins as root is partly a policy issue and partly a convenience issue, as is keeping root shells sitting around. I generally don't keep root shells sitting around even though I use su instead of sudo (and I generally wind up running a series of commands in a root shell when I start one up).

As for password propagation across multiple machines: this ought to be a solved problem in any well-run environment. I accept that it's not necessarily the case and that implementing LDAP for /etc/sudoers may be easier than implementing something for password propagation, but I can't help but think that the overall environment has some problems that are just being worked around.