Ubuntu
sudo package

sudo config file specifies group "admin" that doesn't exist in system

Bug #1339518 reported by Jonas Björk
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

In the configuration file for sudo ( /etc/sudoers ) you find this section:

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

The sudo group is in /etc/group, but not admin group. This is a cosmetic bug, but if we specify a group that are allowed to use sudo command, then the group should exist in the system too.

Installed version: Ubuntu 14.04 LTS all upgrades up to 9 july 2014 installed, 64 bit desktop ISO used for installation.

Sudo package installed:
ii sudo 1.8.9p5-1ubuntu1 amd64 Provide limited super user privileges to specific users

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sudo (Ubuntu):
status: New → Confirmed
Revision history for this message
Trent Lloyd (lathiat) wrote :

Just noticed this today, it's still the same on Ubuntu 20.04. The default sudoers file ships the admin group having sudo privileges but the group doesn't exist by default.

While it doesn't have out of the box security implications, I think this is a security concern as someone could potentially add an 'admin' user and not expect them to get sudo access with the default matching group name created for them.

For example downstream products like web hosting or control panel style tools that creates users with a user-provided name. Since neither the user or group 'admin' exists by default they could be fooled into creating escalatable privileges.

Revision history for this message
Trent Lloyd (lathiat) wrote :

Subscribing Marc as he seems to be largely maintaining this and made the original changes and has been keeping the delta. Hopefully he can provide some insight.

Seems this is a delta to Debian that is being kept intentionally for a long time, it's frequently in the changelog even in the most recent Debian merge.

I'd have thought if we kept this in here by default we probably should have kept a default 'admin' group with no members but it's a bit late for that at this point.

- debian/sudoers:
 + also grant admin group sudo access

Also seems this change was originally made in 2014:

sudo (1.8.9p5-1ubuntu3) vivid; urgency=medium

  * debian/patches/also_check_sudo_group.diff: also check the sudo group
    in plugins/sudoers/sudoers.c to create the admin flag file. Leave the
    admin group check for backwards compatibility. (LP: #1387347)

 -- Marc Deslauriers <email address hidden> Wed, 29 Oct 2014 15:55:34 -0400

sudo (1.8.9p5-1ubuntu2) utopic; urgency=medium

  * debian/sudo_root.8: mention sudo group instead of deprecated group
    admin (LP: #1130643)

 -- Andrey Bondarenko <email address hidden> Sat, 23 Aug 2014 01:18:05 +0600

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Older releases of Ubuntu used a group called "admin" instead of "sudo" which is the name Debian chose later on.

We need to maintain the "admin" group rights in our sudoers file for people upgrading from earlier Ubuntu releases. If we remove it, they will no longer have sudo rights after upgrading.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.