How is sudo intended to be used?

For basic operation — running commands as root — the most visible difference between sudo and su is that sudo requires the password of the calling user (i.e. your password) whereas su requires the password of the target user (i.e. the root password). The security implications have been discussed extensively in a previous question: Which is the safest way to get root privileges: sudo, su or login?.

Sudo has additional features beyond su's. In particular, once you have a user's password, you can run any command as that user. On the other hand, sudo can be configured so that the user invoking it can only run specific commands as some other user. This is possible because sudo doesn't require any authentication (other than perhaps confirming that you are you by typing your password — but that's subtly different from authenticating your user for a task).

You change the sudo configuration by running the visudo command as root (never edit the configuration directly). Make sure the environment variable EDITOR or VISUAL is set to your favorite editor or you may get an unfamiliar editor. The sudoers man page is a bit terse but has examples. To allow the user bob to run /bin/foo (with any number of arguments) and /bin/bar --safe (but not with any other argument) as root, use the following lines:

bob ALL = (root) /bin/foo
bob ALL = (root) /bin/bar --safe

The biggest difference is that with sudo you don't need the root password to run a command as root, as you would for su. You do need the root password to add someone to the sudoers file but thereafter that person can run all or some (if you've restricted it) as root without requiring a further password.

The other difference is, as you've noted, sudo allows a much finer control over exactly what commands can be run.

For details of the format of the sudoers file run man sudoers. You'll find examples there of allowing only certain commands to be run as root. The basic structure of each line is:

user_list host_list = cmd_list

cmd_list can include details of which user the real user is allowed to switch to. For instance, you might allow a webmaster to switch to wwwroot to restart apache but not to root. It can also include other options such as whether the users password is required before switching (this is the default).

An example line might be:

joe  ALL=(ALL) ALL

which means: let joe run any command on any host as any user. A tighter line might be:

joe  ALL=(operator) /usr/local/ops/

which means: let joe run any command in the /usr/local/ops directory as the user "operator".

There are lots of examples at the end of the sudoers man page.

You should edit /etc/sudoers with the command visudo. This checks that the file is legal and helps prevent you from accidently breaking it.

In addition to the other answers, sudo provides logging facilities so you can keep track of what commands were run and by who. This isn't for security purposes since a malicious user who gets sudo access can wipe out the log. It is very useful though to figure out exactly what you or some other admin did bleary eyed at 2am last week.