What is the difference between the 'sudo' and 'admin' group?

permissions sudo

I noticed that two groups are granted similar-looking permissions in /etc/sudoers:

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

My user account with "Administer the system" privileges is in the admin group, and there don't appear to be any users in the sudo group. What are these two groups for?


Solution 1:

Ubuntu 12.04 LTS and later

Administrators are added to the sudo group, but the admin group is supported for backward compatibility. From the release notes:

Up until Ubuntu 11.10, administrator access using the sudo tool was granted via the admin Unix group. In Ubuntu 12.04, administrator access will be granted via the sudo group. This makes Ubuntu more consistent with the upstream implementation and Debian. For compatibility purposes, the admin group will continue to provide sudo/administrator access in 12.04.

It is not created when you do a fresh install, though it is still present if you upgraded from previous distributions. Either way, the admin group appears in the /etc/sudoers file.

See implementation details and the official documentation.

Solution 2:

Ubuntu 11.10 and earlier

By default the sudo group is not used in Ubuntu:

  • the user created during installation belongs to admin group, not sudo;
  • no guide or manual I ever read advices to use the sudo group;
  • no one feels the need to use the sudo group, because the admin group can do all one needs.

Conversely, on Debian the group enabled in /etc/sudoers is the sudo group, and there is no admin group. But the user created during installation is not put in that group, because Debian has the root account enabled. You should do it explicitly, if you want to.

Also, Fedora is similar to Debian, having root enabled and no default privileges for the user create during installation. But the administrative group configured in /etc/sudoers is the more traditional group wheel.

In conclusion, I think there is no use for sudo group in Ubuntu, simply it is a Debian heritage.

Solution 3:

No security difference.

Both have 100% unrestricted access to anything provided by the OS.

The difference in your /etc/sudoers is (ALL) vs (ALL:ALL). The first one means you can run commands as any user. The second - you can run command as any user and as any group.

The way shown in your /etc/sudoers both groups will need to enter their own password to execute commands as root.

Both can a root shell like this:

sudo su

Related

analyse disk usage ignoring mounts
apt-get update very slow, stuck at "Waiting for headers"
How to export and import VirtualBox VM images?
Can I get a virus by using "sudo apt-get install"?
Proper fstab entry to mount a samba share on boot?
How to get coloured terminal over ssh?
ModuleNotFoundError: No module named 'distutils.util'
What's the lightest Ubuntu desktop environment? [duplicate]
How to hide users from the GDM login screen?
How can I copy the current path from Nautilus?
Where are file associations stored?
How to disable wireless from command line