Why can `root` run any command as any user without providing password?

Question

My /etc/sudoershas content:

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

There is no rule above specifying NOPASSWD. I was wondering why user root seem to be able to execute any command as any user without providing password?

Thanks.

"A password is not required if the invoking user is root, if the target user is the same as the invoking user, or if the policy has disabled authentication for the user or command." - from the User Authentication section of the manual (https://www.sudo.ws/man/1.8.17/sudoers.man.html).
Since root is already root and can already run any command as root, sudo just passes through the command to the shell. — Tim Kennedy, May 24 '18 at 04:12

dr_ · Accepted Answer · 2018-06-05T12:49:50.980

2

The root user does not need to authenticate for sudo, and as such is not required to enter a password to run a command as another user.

From sudoers manpage:

   User Authentication
     The sudoers security policy requires that most users authenticate themselves 
     before they can use sudo.  A password is not required if the invoking user is root, 
     if the target user is the same as the invoking user, or if the policy has disabled 
     authentication for the user or command. (...)

Related: When the user of a shell is `root`, does running `su` on another user name ask for password of the other user?

edited Jun 05 '18 at 12:49

answered May 24 '18 at 09:19

dr_

29,602

Thanks. " set in /etc/pam.d/su" or " set in /etc/pam.d/sudo"? /etc/pam.d/sudo doesn't have that line. – Tim Jun 05 '18 at 02:17
@Tim Set in /etc/pam.d/su, as I wrote. – dr_ Jun 05 '18 at 07:11
/etc/pam.d/su is for su, not for sudo – Tim Jun 05 '18 at 10:23
After rereading your question I think I've incorrectly quoted that answer. I've edited my answer. Thanks for the correction. – dr_ Jun 05 '18 at 12:48
Thanks. Is there something in /etc/pam.d/sudo that specify root doesn't need password? – Tim Jun 05 '18 at 13:03

score 0 · Answer 2 · answered May 24 '18 at 05:02

0

root is superuser in Linux. By default root has all privileges. You don't have to explicitly configure root as sudoers.

Just think, if there is no such superuser how and who can you control access privileges for others?

answered May 24 '18 at 05:02

TheGeek

156

Why can `root` run any command as any user without providing password?

2 Answers2

Linked

Related