What's exactly the point of the sudo command, in terms of security?

This question is actually non Ubuntu-specific. My understanding is that sudo is to prevent non-authorized users from doing administrative and other potentially harmful operations. The premise is that someone is here in front of my PC using it... or maybe remotely (but in that case they should know my login password to connect to the computer, and this is usually the same as my sudo password...) So someone is in front of my PC and she cannot delete certain important files or dirs or install harmful software without knowing my sudo password, but she can do a lot of other harmful and privacy-violating things without sudo. So, wouldn't it be better instead asking for admin privileges each time before opening the file manager or the terminal? I know this may be time-consuming and exhausting...


Solution 1:

First off, you need to understand the concept of the users in linux, with special regards to the root user. In order to keep this answer below the character limit (and on topic), I'd suggest you read this page followed by this one. Really, all you need to know is the following:

Linux is a multi-user operating system with each user having limited power and scope as defined by their user group. Every Linux system has something called the root user (UID 0, also known as the superuser), who is the total and completely authoritative administrator. root knows all, root sees all, root controls all.

The concept of sudo came from the old UNIX command su (from switch user), which allowed any user to log in to any other user on the system. Anyone with administrative privileges would type su root (or just su) to escalate to the root user for any admin task. This, regrettably, had a few problems. In systems with multiple admins, everyone shared the root password. Meaning, if an admin left the company, the root password would need to be changed and redistributed to all of the other administrators. This can be extremely time-consuming at times, and otherwise just be a great pain.

Now, enter sudo. sudo works on a different principle. Instead of requiring users to know the root account login, sudo would be used to allow users to escalate themselves into the root account (or any other account, for that matter) based on the rules of the /etc/sudoers file. Now, revoking or adding an administrator is simple -- just add or remove a user from a group or the file. Because of this, the root account can be "disabled", thereby blocking access to anyone except actual admins.

For almost all cases, this is all sudo is used for. It grants root power to administrators (members of group admin or sudo) based on the rules defined in /etc/sudoers.

(Un)intentionally, this also comes with a massive security benefit. Administrators can run in an unprivileged mode just like any other user. They can then escalate or "enable" administrative privileges when they're needed, and revoke them immediately afterwards. Usually, this is only used for a single command (e.g. sudo apt install cowsay), but it could also be a full-blown root shell.

This isolation in turn also protects the system at large (remember, *NIX was originally a multi-user environment used by many people) from malicious code executed from an admin's account, be it through malware or someone logging on to an admin's active terminal. Similarly, sudo allows every admin action to be logged and reviewed at any time. Contrast this to the old su method, where you realistically had no idea who ran what command.

Also, based on the permission model of Linux, sudo can prevent a user from making potentially dangerous mistakes like accidentally uninstalling a critical program, erasing a hard drive, or any other number of nasty things that should never be done without some confirmation.

TL;DR:

Really, sudo is just a (very useful) holdover from the true multi-user environments of old *NIX installations. However, it still retains its usefulness by protecting the system from malware or session hijacking. In typical *NIX mentality, protection of the admin's actual account is an exercise left to the admin.

If you're worried about someone sitting down at your computer while you're away and messing with your privacy, just lock your screen/session. Even so, physical access is a killer.