Is "sudo su -" considered a bad practice?

unix linux sudo su

Background

I know the difference between su -, sudo su -, and sudo <command>:

  • su - - switches user to root, requires the root password
  • sudo su - - switches user to root, requires only the current user's password
  • sudo <command> - grants root access only for a specific command; requires only the current user's password

My question is about whether or not using sudo su - is a safe practice in a production environment.

Some thoughts:

  1. It seems like allowing sudo su - poses a security risk by making access to the root account dependent upon individual user passwords. Of course, this might be mitigated by enforcing a strict password policy. I don't think su - is any better since it would require the administrator to share the actual root password.

  2. Allowing users to completely switch to the root account makes it more difficult to keep track of who makes changes to the system. I've seen cases at my day job where multiple users are given sudo su - access. The first thing the users do when logging into the system is run sudo su -, before beginning work. Then, one day something breaks, and there is no traceability to who ran rm -rf * in the wrong directory.

Questions

Given the above concerns, is it ever a good idea to allow users to use sudo su - or even su - at all?

Are there any reasons an administrator would configure user accounts for sudo su - or su - instead of sudo <command> (aside from laziness)?

Note: I am ignoring the case where the user running sudo su - or su - is the Administrator needing to make system changes, when direct ssh access has been disabled for the root user.


Let's look your cases:

 su -

will run a /bin/sh as the root user using the root environment. The root password is needed and logging MAY be logged depending on syslog settings (usually is by default to /var/log/auth.log).

 sudo /bin/sh

will run shell as the root user using the current set of environment variables (with some exceptions as would be defined in the sudoers file). The password is the source user password and NOT the root user password. sudo is usually logged.

 sudo su -

will run a shell (usually /bin/sh) as the root user setting up the environment as the root user. This will require the password of the source user and this will generally be logged.

Sometimes it is necessary to have the root environment over your own environment, thus su - is an appropriate method. Remember sudo will still log the use of the shell command in either case.

Related

How to join domain and still maintain settings from unjoined user profile?
How to set up Google ShortName service for my domain, so that the FQDN isn't needed
How to exclude file extensions and languages from "format on save" in VSCode?
Reading and writing environment variables in Python? [duplicate]
Redirect to external URI from ASP.NET MVC controller
AngularJS - difference between pristine/dirty and touched/untouched
DirectX SDK (June 2010) Installation Problems: Error Code S1023
Visual Studio 2010 shortcut to find classes and methods?
How can I tell AngularJS to "refresh"
Visual Studio Copy Project
How do I move a file with Ruby?
In Python, how do I create a string of n characters in one line of code?