How is sudo safer than directly using su if the user is granted access to all commands?

Personally I do not necessarily consider it safer and most of the benefits (of sudo) are on a multi user system. On a single user system it probably is a wash.

The benefits are (in no particular order):

• sudo has superior logging. sudo logs each command.
• sudo allows finer grain control. One can configure sudo to give root access to some but not all commands.
• sudo uses the login password. This protects having to give the root password (as you would with su) and is related to the point above regarding finer grained control / access to root.
• In Ubuntu, by default, the root account is locked. This deters crackers as to log in (remote via say ssh) they have to guess both a user name and a password. If the root account is not locked, as is the case with su, then they only need to crack root's password.
• sudo -i is probably the best method to isolate root's environmental variables from your user. This comes up from time to time but is moderately esoteric. See https://help.ubuntu.com/community/RootSudo#Special_notes_on_sudo_and_shells
• some people feel that having to type sudo before every command they wish to run as root or having sudo time out allows them to stop and think more clearly and reduces their errors or running erroneous commands. If doing so helps you that would be a benefit as well.

There are probably more benefits , but, those are the major ones, IMHO.

See also - https://help.ubuntu.com/community/RootSudo

To try to answer some of your other thoughts:

• There is nothing about either su or sudo that prevents you running malicious code as long as you know the password. Neither is safer or better.
• Crackers can obtain shell access via a number of methods. When you see "run arbitrary code" in a security notice - https://usn.ubuntu.com/usn/ - that means a cracker can run /bin/bash or any other code. Thus a cracker, via various exploits, can obtain shell access without knowing your login name or password. Neither sudo or su helps with this.
• If a cracker has shell access they can do a lot of damage without root access. For example the ransomware that encrypts all your personal data.
• If a cracker has shell access to an account with root access, via either su or sudo, the cracker can obtain root access via a number of methods beyond the scope of this discussion. Neither sudo or su is superior in this respect either.

So while you have observed problems or flaws with sudo, su has the exact same vulnerabilities and su is not superior to sudo in those aspects, IMHO

Imagine you have 20 minutes to do something complex. You’re a bit hungover and you have to rush. “Let’s use su” you say. “It’ll save some time” is your reasoning.

By accident you type

rm -rf /*

instead of

rm -rf ./*

Your system is now bricking itself and you have 10 minutes until your deadline.

If you explicitly choose when you need root, you can minimise the chance of this happening. Root might not be needed for rm -r ./* so why use it? Why take the risk?

That’s what “safety” means here. Minimising the risk of users (all users, not just beginners) making a fatal mistake.

Of course, this is an extreme example that shouldn’t be allowed to happen in a production environment (I guarantee it has happened in a prod environment).

Security wise there’s some stuff that sudo is better for too. As @Panther says - logging, restrictions, root password is SPOF, etc.)

I want to add a bit of historical perspective to the other answers. Unfortunately, I do not have any sources ready except for my own memories of Usenet discussions and magazine articles.

Some time ago, in the 1990s, distributions were making it easier to install Linux on your own hardware, even with not much computer knowledge.¹ Thus, Linux started to attract more and more people that surprisingly had not previously been drilled as system administrators on some UN*X dialect. Instead, many were used to (single user) systems like Windows 95/98. And they learned that most Linux system administration tasks made it necessary to work under that strange "root" account.

Thus, some users just logged in as root and used that account for all their daily work. Why should they have to type su and the root password again and again or login into a new tty just for some admin commands? But using root for everything is of course not a good idea, as you could do a lot more harm to your system with some unmindful command in the wrong place. This even led some distro (was it SuSE?) to modify the desktop background for the root user to display a big warning that you should use that account only for admin tasks.

So, the Ubuntu way with sudo has some advantages (in addition to those already listed by Panther).

• You cannot directly login to the root account.² :-)
• The installation process will not ask you for an (additional) root password, you need only one (your user's) password.
• sudo caches your credentials, so for multiple admin commands in sequence, you only have to enter your password once (in contrast to su). This reduces the urge to just open a shell or a new terminal with root privileges.
• And it makes it easier to tell users online and in documentation which commands they have to enter as admin and which not.³

¹ And for those not daring to do it themselves, there were install parties.
² But you can use a command like sudo -i or sudo su - root to get a root shell after you logged in as a normal user.
³ But you know of course that you should not simply copy&paste commands from the Internet, right?

It has been possible to disable root login through ssh for decades. The Ubuntu way of disabling the root account and making people sudo everything is nothing more than a gimmick. Just "sudo -s" and you have a root shell. Disable root login through ssh and leave it there.

Depending on the configuration, sudo <game ending command> will not necessarily work. Of course, if the sudoers configuration reads "user ALL=(ALL) ALL", sudo will offer no additional protection. You can however specify a list of privileged commands you need to run often, like installing new packages, and leave out dangerous commands like rm.

This way you can run all commands if you login as root, but since you will only need this occasionally, the risk of running <game ending command> will be substantially reduced.

That sudo allows you to allow only certain commands is not the only benefit of sudo over su.

In most shops, it is not even the most important benefit.

With sudo, you know who performed a particular command.

Now maybe this doesn't matter to you. For example, you might be the only user of your computer. If so, then sudo possibly isn't any better than su.

But plenty of hosts have more than one admin.

sudo then becomes very useful because if someone does the wrong thing, sudo lets you know who did it.

That allows you to understand why errors happened, and to educate people to prevent errors recurring, or if necessary, to remove the tools from someone.

As a bonus, when people know that their actions are recorded, they are often that little bit more careful.

Sudo isn't perfect.

If two people do "sudo sh" at the same time, then it can be hard to attribute commands to one or the other.

And a malicious admin can always remove or edit logs - although doing that cleanly isn't always as easy as people think, especially if you have centralised logging.

sudo doesn't necessarily stop a stupid or malicious action, for all the reasons identified in the original question.

But it does give you a much better chance of preventing a recurrence.