4

When adding user like this : 

sudo adduser someuser --ingroup sudo

Added user can use sudo but he is not in /etc/group sudo nor in /etc/sudoers
So how does it work ?

heemayl
  • 93,925
EdiD
  • 4,617
  • 3
  • 27
  • 41

2 Answers2

2

The --ingroup option of adduser changes/adds the Primary group of the added user, and the primary group of a user is stored in the /etc/passwd file, in the : separated fourth field, as numeric GID.

So sudo is reading the /etc/passwd file, and finding that the user someuser has the primary group sudo, so the sudo commands are working perfectly.

Now, /etc/group's sudo group entry still would not show the membership, because /etc/group only stores the secondary group membership, not primary.

heemayl
  • 93,925
2

Your adduser command sets the user's primary group to sudo.

From man adduser:

   By  default,  each  user  in  Debian GNU/Linux is given a corresponding
   group with the same name.       [ ... ]                  Users' primary
   groups  can  also be overridden from the command line with the --gid or
   --ingroup options to set the group by id or name, respectively. 

   [ ... ]  

   --ingroup GROUP
          Add the new user to GROUP instead of a usergroup or the  default
          group  defined  by  USERS_GID  in  the configuration file.  This
          affects the users primary group.  To add additional groups,  see
          the add_extra_groups option

The primary group normally has the same name and ID as the user. It is not stored in /etc/group but in /etc/passwd, like this:

bytecommander:x:1000:1000:ByteCommander,,,:/home/bytecommander:/bin/bash

The 4th :-separated field contains the GID (group ID) of the user's primary group.

Now /etc/group contains a list of all groups and associates users that have this group as additional (not primary) group, like this:

sudo:x:27:bytecommander

The distinction between primary and additional groups is also visible in the output of the id command (formatting by me):

$ id
uid=1000(bytecommander) 
gid=1000(bytecommander) 
groups=1000(bytecommander),27(sudo)

What is important for the use of sudo is only membership in the sudo group, it does not distinguish primary and secondary membership. The responsible configuration line can be found in /etc/sudoers and looks like this:

%sudo   ALL=(ALL:ALL) ALL

This line grants all members of the sudo group automatically full permissions to run any command as any user, without having to specify each user manually.

Byte Commander
  • 110,243