with full sudo access on our local laptops I could also switch user to the account of my admin for example and have network wide root access
That can indeed be the case, but that speaks of an old-school and rather legacy network/authentication setup based on trust with a number of weak links such as for example:
- home directories are stored on NFS exports (and access to them is not secured with for instance Kerberos nor is your workstation limited to access only map your home directory, rather it can access all home directories)
- with full unrestricted root access it is then trivial to use
su - admin_login and add your own public key to the admin's ~/.ssh/authorized_keys
- with your own private ssh key you can then login directly as that admin on all servers where the admin's home directory is mounted and which allow ssh public key authentication
- when the admin has set up their account with the
NOPASSWD keyword in their sudo policies or relies wheel (or another group) membership and no subsequent other authentication/password is needed to become root or perform other privileged actions...
If the above describes the issues/risks in your network then your Linux/UNIX still relies on a very classic trust model for security.
Any competent administrator should have stopped doing that a long time ago already, but there may have been legacy concerns and considerations...
When your Linux/UNIX network relies on trust and access to resources is not otherwise secured, then the security of the devices that are trusted becomes extremely important. In general placing that security in the hands of end-users is ill-advised. In other words, you don't grant full root access to end-users.
Windows Active Directory / domain security does not rely so much on trust (it evolved later than Unix and then had much less legacy and could benefit from improved insights) but uses a much robust security model for network security, based on Kerberos authentication.
In that regard the security of the end-device is less of an issue as those are not implicitly trusted and granting users local admin rights poses less of a risk.
Does anyone know of such a rights management system that would allow local root but not network wide root?
After removing the legacy setup almost any system could do that. FreeIPA, sssd, integrate with your Windows AD domain etc. etc.
But that requires that your Linux/UNIX network stops relying (solely) on legacy trust and IP-address/hostname based access controls. Implement for example one of the many proper/stronger authentication systems built around either native Kerberos or integrated with AD.
Stop using "trust" (IP-addresses/hostnames) as the only security control and enable proper authentication on network resources. Start for example with the NFS shares containing home directories and migrate them to always require "proper" authentication methods such as Kerberos, or switch to CIFS/SMB that also supports client authentication.
Then the security of your network is no longer solely dependant on the security of trusted devices but rather on users keeping their credentials secure.
Once you do that you can consider granting end-users like yourself more control over their workstations.
Additionally: Administrators should probably also start having more security controls applied to their accounts and for instance not make use of NOPASSWD in their centrally managed sudo policies either.
