In /etc/sudoers, there is always:
root ALL=(ALL:ALL) ALL
However, the root user (with UID 0) doesn't need to enter password when they run sudo command.
For other users, a password is required unless their entry contains NOPASSWD or a previous authentication hasn't timed out:
user ALL=(ALL:ALL) NOPASSWD:ALL
^^^^^^^^
sudo allows users to execute commands as UID 0 (or other users) based on how it’s configured. There is no need to ask root for a password to run a command as UID 0, because it already is UID 0.
Furthermore, root can also su to anyone it’d like, so there’s no need to prompt for a password when executing sudo -u user as UID 0.
Note: I do believe there is a PAM setting that will even require root to provide a password for the target user when using su.
While this is an interesting inconsistency. It would be pointless in stopping root, as root has capabilities CAP_SETUID and CAP_SETGID, so does not need sudo. It can do what ever it want.
If sudo is checking root, and not these capabilities, then there may be a latent-bug: root with no capabilities could escalate (I don't know I have not looked at the code, or tested).
sudoto run commands as UID 0, and root is already UID 0 and there's nothing to gain by stopping them,sudostill requires the config line forrootto be there. Without it, it tells even root to bugger off. – ilkkachu Mar 25 '19 at 10:37root. What would you gain runningsudoas root? "Beyond Root"? "Who watch the Watchmen?" – Mar 25 '19 at 14:28