In Linux system administration, the debate around root access is as old as Unix itself. The root account, with its unlimited privileges, is both a powerful tool and a significant security risk. Modern security practices strongly recommend disabling direct root login and using sudo instead for several compelling reasons:

# Bad practice - direct root login enabled
PermitRootLogin yes

# Good practice - disable root login
PermitRootLogin no

The sudo approach provides superior security through:

• Accountability (commands are logged per user)
• Granular control (specific command permissions)
• Reduced attack surface (no always-enabled superuser)
• Accidental damage prevention (conscious privilege elevation)

Here's how to properly disable root access and configure sudo:

# 1. Create a new admin user
useradd -m -s /bin/bash adminuser
passwd adminuser

# 2. Add to sudo group
usermod -aG sudo adminuser

# 3. Disable root login in SSH
sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config

# 4. Restart SSH service
systemctl restart sshd

# 5. Verify sudo works
su - adminuser
sudo whoami

For enterprise environments, consider customizing /etc/sudoers:

# Sample sudoers entry with restrictions
User_Alias ADMINS = adminuser, backupadmin
Cmnd_Alias PROCESS = /bin/kill, /usr/bin/killall

ADMINS ALL=(ALL) ALL
backupadmin ALL=(ALL) NOPASSWD: /usr/bin/rsync
%developers ALL=(ALL) PROCESS

Lockout scenario: Always test sudo access before disabling root. Have console access available.

Legacy systems: For systems requiring root, consider alternatives like:

# Restricted root shell
echo "/bin/bash -r" >> /etc/shells
chsh -s /bin/bash -r root

Industry standards like CIS benchmarks recommend:

• Disabling root SSH login
• Setting root password to * in /etc/shadow
• Implementing sudo timeout (Defaults timestamp_timeout=5)
• Using pam_wheel for group restrictions

# Set root password to locked
usermod -p '*' root

# Configure sudo timeout
echo "Defaults timestamp_timeout=5" >> /etc/sudoers

For decades, the root user has been the ultimate privilege in Unix-like systems. But modern security practices strongly recommend disabling direct root access. Here's why:

• Eliminates brute force attacks targeting root
• Provides clear audit trails through individual sudo logs
• Prevents catastrophic mistakes (rm -rf / feels different when prefixed with sudo)
• Enforces the principle of least privilege

Here's how to properly disable root login while maintaining administrative access:

# First, ensure you have at least one sudo-enabled user
usermod -aG sudo your_username

# Verify sudo access
sudo -l

# Disable root password
sudo passwd -l root

# For SSH hardening:
sudo nano /etc/ssh/sshd_config

Add/verify these critical SSH settings:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

A well-configured sudoers file is crucial. Instead of editing /etc/sudoers directly, use:

sudo visudo

Example secure configurations:

# Time-restricted access
%admin ALL=(ALL) NOPASSWD: ALL, !/usr/bin/passwd root

# Command-specific permissions
john ALL=(ALL) /usr/bin/apt, /usr/bin/systemctl

Companies implementing these measures report:

For enterprises, consider these additional measures:

• Implement sudo session recording (try sudoreplay)
• Configure centralized logging for sudo commands
• Set up time-based restrictions (e.g., "No sudo after business hours")