Comment 2 for bug 2027581

On UbuntuCore the default user added by console-conf is automatically granted passwordless sudo.

the /etc/group file is on a readonly filesystem and contains the sudo group, this usually prevents you from accidentially adding extra sudo users (UbuntuCore exclusively uses /var/lib/extrausers for addtional users and snapd (being the management authority) normally creates snippets in /etc/sudoers.d on a per user basis)

in earlier UbuntuCore releases the admin group still existed in the readonly /etc/group so adding such a user would have been prevented by the readonly state of the file.

now you can unconditionally create such a user and automatically get sudo privs without having to go through a system-user assertion managed by snapd (which is the only process that can create snippets in /etc/sudoers.d on these systems)

if not considered a security hole (due to the fact that you can circumvent the documented locked down user creation process via system-user-assertions for this type of systems) this is at least a heavy inconsistency ... we should either add an admin group to the core snaps readonly /etc/group or wipe the admin line from sudoers so we match the documented behavior.