Not generally a problem if
sudo prompts for your password - unless of course you enter your password when prompted.
In theory, I think it would be possible to trick a user into entering the password to allow
sudo to proceed, particularly a noob user.
The seriously security-conscious would have two accounts - one for general use which does not have unrestricted
sudo rights (or has no
sudo rights at all) and one for admin use which does have unrestricted
That may or may not be satisfactorily convenient.
This is how I have set up Mrs @kieran, who by comparison with me is a noob user.
It’s just good security practice to disable something that is not used.
Distros like Ubuntu never require you to login as root - so why leave root as a valid account that could in theory be logged in as? Why give hackers a chance to brute force the account? Or find a crypto weakness in the hashed password? It may be a very very small exposure but why even offer it?
As a theoretical example, assuming you allow
ssh access into the Linux computer, and assuming that
ssh is configured only to allow password authentication … why even offer the possibility that someone could
ssh in as root? (This is a bad example though because most SSH servers by default wouldn’t allow
root in at all.) By locking the
root account though, you are covering all inbound protocols that use password authentication, regardless of whether the server applies a special rule for
sudo is a very flexible command. It can be configured to allow only certain commands or to apply other restrictions. However, as used by most people, if you can
sudo at all then you have no restrictions.