Sudo user not in sudo group?

Question

When adding user like this :

sudo adduser someuser --ingroup sudo

Added user can use sudo but he is not in /etc/group sudo nor in /etc/sudoers
So how does it work ?

Possible duplicate of How do I add a user to the "sudo" group? — Benny, Sep 23 '16 at 17:35
@Benny The question is not how to add user to the sudo group ! — EdiD, Sep 23 '16 at 17:38

score 2 · Answer 1 · answered Sep 23 '16 at 17:55

2

The --ingroup option of adduser changes/adds the Primary group of the added user, and the primary group of a user is stored in the /etc/passwd file, in the : separated fourth field, as numeric GID.

So sudo is reading the /etc/passwd file, and finding that the user someuser has the primary group sudo, so the sudo commands are working perfectly.

Now, /etc/group's sudo group entry still would not show the membership, because /etc/group only stores the secondary group membership, not primary.

answered Sep 23 '16 at 17:55

heemayl

91,753

+1 very nice, good to know there is primary and other groups. – EdiD Sep 23 '16 at 18:42
@EdiD There are Primary and Secondary groups, nothing else. – heemayl Sep 23 '16 at 19:44

score 2 · Accepted Answer · answered Sep 23 '16 at 18:08

Your adduser command sets the user's primary group to sudo.

From man adduser:

   By  default,  each  user  in  Debian GNU/Linux is given a corresponding
   group with the same name.       [ ... ]                  Users' primary
   groups  can  also be overridden from the command line with the --gid or
   --ingroup options to set the group by id or name, respectively. 

   [ ... ]  

   --ingroup GROUP
          Add the new user to GROUP instead of a usergroup or the  default
          group  defined  by  USERS_GID  in  the configuration file.  This
          affects the users primary group.  To add additional groups,  see
          the add_extra_groups option

The primary group normally has the same name and ID as the user. It is not stored in /etc/group but in /etc/passwd, like this:

bytecommander:x:1000:1000:ByteCommander,,,:/home/bytecommander:/bin/bash

The 4th :-separated field contains the GID (group ID) of the user's primary group.

Now /etc/group contains a list of all groups and associates users that have this group as additional (not primary) group, like this:

sudo:x:27:bytecommander

The distinction between primary and additional groups is also visible in the output of the id command (formatting by me):

$ id
uid=1000(bytecommander) 
gid=1000(bytecommander) 
groups=1000(bytecommander),27(sudo)

What is important for the use of sudo is only membership in the sudo group, it does not distinguish primary and secondary membership. The responsible configuration line can be found in /etc/sudoers and looks like this:

%sudo   ALL=(ALL:ALL) ALL

This line grants all members of the sudo group automatically full permissions to run any command as any user, without having to specify each user manually.

So the best way to know all sudo users is by grepping sudo group id in /etc/group and /etc/passwd ? — EdiD, Sep 23 '16 at 18:48
This command should show you all group members of the sudo group, no matter how they got in there, as it parses /etc/passwd to get all user names and checks the output of the groups command for each of them: cut -d: -f1 /etc/passwd | xargs -n1 groups | grep ":.*sudo" | cut -d: -f1 — Byte Commander, Sep 23 '16 at 22:48

Sudo user not in sudo group?

2 Answers2