17

I added a user named "admin" to my Ubuntu 14.04LTS server, using adduser.

I'm used to having to add a user to the /etc/sudoers file when adding a new user that needs sudo privileges, but this time I didn't. It doesn't appear the 'admin' user existed before I created it, based on the output in the shell. Why did this work this way?

Braiam
  • 67,791
  • 32
  • 179
  • 269
trpt4him
  • 273

1 Answers1

30

By default adduser adds every new user to a group with the same name as the user's (the group is created if it doesn't already exists). So if you create a user called admin it will be added to the group admin.

/etc/sudoers contains the line

%admin ALL=(ALL) ALL

which means that all members of the group admin are allowed to use sudo - and that's true for your admin user, too.

Florian Diesch
  • 87,389
  • Side note: This is also true for the Polkit admin privileges. – muru Jan 17 '15 at 06:20
  • 8
    This falls inside the definition of "bug" or "security problem" in my view. Why should there be a magic sequence of letter that gives you superpowers if you use it as your username? – Federico Poloni Jan 17 '15 at 12:58
  • 1
    @FedericoPoloni agree with you, although someone trying to exploit this would have to call adduser, which would mean he already has admin privileges... Still, worth adding a bug report I would think – nico Jan 17 '15 at 14:29
  • 7
    @FedericoPoloni Bug, not at all. The system adds users to their own group with the same name. Joe goes into a group named Joe. admin happens to go into a group named admin. But, admin is a system group. It's the group by default allowed to use sudo. Also, you can specify groups, so the admin user doesn't go into the admin group. Finally, it's a security problem to have a user named admin. I've had SSH brute-force attacks against me relying on my using the username admin. – Kaz Wolfe Jan 17 '15 at 19:37
  • 3
    @Whaaaaaat, for some reason, seeing that username at the end of your posts makes me question everything you say :) – trpt4him Jan 19 '15 at 00:58
  • @trpt4him And, that's why I chose that. – Kaz Wolfe Jan 19 '15 at 01:06
  • 5
    I think that given the policy of one user - one group, the expected behavior (at least, for me) is to bail out with an error if the group name exists (as it does if the user name exists). I vote for the bug, or at least unexpected behavior. – Rmano Jan 20 '15 at 20:33
  • The group "admin" was probably added to allow "admin" users on a LAN consisting of a mix of Novell, Linux and Unix serwers, at that time it was thought a good thing for Admin users on Lan's! – Ken Mollerup Jan 29 '15 at 12:59