Locally, true root privileges are all powerful but...
* Root privileges tend to be squashed over the network, you probably don't have any privileges on other machines directly from this account.
* Root can't do the impossible. Cryptographically protected SSH keys can't be unprotected by fiat. MD5-salted-hashes can't be unwound either.
* Privileges to write to MOTD and add or replace some executables don't add up to root privileges. Particularly in an SELinux system, an attacker might be able to read from & write to some parts of the filesystem but not spawn their own processes or make connections over the network.
* Your nefarious activities may be logged without you being able to prevent it, or tamper with the logs after the fact (network logging, tamper-proof external logging) while user actions would go unremarked.
All of these things make it attractive to capture real passwords to go with the usernames stored in the authentication system, valid SSH passphrases for the keys stored on the system, that sort of thing. These allow you to become just one of dozens, hundreds or even millions of users of the system, and their credentials tend to be valid across many different machines on the network.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds