useradd grants root privileges to admin user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sudo (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Hi,
As part of the Ubuntu Core 20, if a developer creates a user named either admin or Admin, it will have root privileges by default. I think that this is a security issue but it requires input from the security engineers/
Basically, if you look at the sudoers file under `/etc/sudoers`, you will realize the following line;
```
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
```
And if someone creates a user by using admin as name, the system provide root privilege.
```
sudo useradd -s /bin/bash -u 8003 -d /home/Admin --extrausers Admin
iotuc@ubuntu:~$ su Admin
Password:
Admin@ubuntu:
cat: /etc/sudoers: Permission denied
Admin@ubuntu:
[sudo] password for Admin:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Admin@ubuntu:
```
Similarly, if I create a username called aydogar, it does not have root privilege and this is expected.
```
sudo useradd -s /bin/bash -u 8004 -d /home/aydogar --extrausers aydogar
iotuc@ubuntu:~$ su aydogar
Password:
aydogar@
cat: /etc/sudoers: Permission denied
aydogar@
[sudo] password for aydogar:
aydogar is not in the sudoers file. This incident will be reported.
aydogar@
```
I think, this is a bug but would love here other ideas and inputs.
description: | updated |
summary: |
- useradd will grand root privileges for admin user + useradd grants root privileges to admin user |
This is no bug. useradd adds automatically the user to a same named group. So admin user would get added to admin group. This is intended behavior. admin group has sudo rights. This is also intended.