Why doesn't root need the password to run "sudo" even when "NOPASSWD:ALL" isn't written in /etc/sudoers

sudo allows users to execute commands as UID 0 (or other users) based on how it’s configured. There is no need to ask root for a password to run a command as UID 0, because it already is UID 0.

Furthermore, root can also su to anyone it’d like, so there’s no need to prompt for a password when executing sudo -u user as UID 0.

Note: I do believe there is a PAM setting that will even require root to provide a password for the target user when using su.

While this is an interesting inconsistency. It would be pointless in stopping root, as root has capabilities CAP_SETUID and CAP_SETGID, so does not need sudo. It can do what ever it want.

If sudo is checking root, and not these capabilities, then there may be a latent-bug: root with no capabilities could escalate (I don't know I have not looked at the code, or tested).