1

I removed my regular user from the sudoers file but it is still part of sudo group which has all privileges granted in the sudoers file. When I try to execute any command in sudo from my regular user it says that user is not listed in the sudoers. I was expecting that sudo commands would execute normally since the regular user is part of a group which is listed in the sudoers. My question is why do we specify permission of groups if we should also specify all individual users (in the sudoers) in order for them to execute commands with sudo?

enu
  • 177
  • Your expected behavior is indeed the default behavior AFAIK - without seeing your complete sudoers file and group memberships it's hard to know why that's not happening – steeldriver Feb 12 '17 at 17:35

1 Answers1

1

The purpose of the group privileges in the sudoers file is to conveniently be able to add or remove users from the /etc/sudo group for granting or removing sudo access.

The default/etc/sudoers file allows for the sudo group to execute sudo commands. To bring this default back, you would have to modify your files back to the defaults. Compare your /etc/sudoers file with this default file:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

The most likely culprit of your issue is highlighted in bold.

For this to work the /etc/group entry will also need to be formatted properly:

The sudo entry in the /etc/group file:

sudo:x:27:ljames,user1,user2
L. D. James
  • 25,036