After some research, I answered my own question... Ill post here for reference, may help people with a similar question in the future:
Ive downloaded and studied the source code from gnome-system-utils
package. The app itself is users-admin
. And the short answer is:
Yes, this tab is only about adding and removing the user from certain groups.
Long answer:
There are some checks, for example, when removing the user from the admin group, that triggers a warning about if the user is the only administrator in the system, and prevents from revoking this privilege. But, basicaly, each "privilege" in the list is just an alias for a group. It makes sense, since security and privileges in Linux are closely tied to a user belonging (or not) to certain groups.
But not every group is represented in the Privileges list, only a few. And, believe it or not, the list is hard-coded! Groups and description strings!
Below is a list from all the groups represented in the privileges list, as of Linux Mint 10 (= Ubuntu Maverick 10.10 in that sense). The groups names and the descriptions shown in the list are taken directly from source code, file src/users/privileges_list.c
. The explanation about some of them (when descrition is not self-explanatory) are taken from this blog (a bit outdated) and /usr/share/doc/base-passwd/users-and-groups.html
(definately obsolete)
adm
- Monitor system logs. Group adm is used for system monitoring tasks. Members of this group can read many log files in /var/log, and can use xconsole. Historically, /var/log was /usr/adm (and later /var/adm), thus the name of the group. HELP: Perhaps policy should state the purpose of this group so users may be safely added to it, in certainty that all they'll be able to do is read logs. Wouldn't hurt to rename it 'log' either ...
admin
- Administer the system. Allows members to control administrative functions on the system, such as adding programs and new user accounts (in other words, its the group that allows a user to use sudo
command). UPDATE: from Ubuntu 12.04 onwards, the corresponding group is named sudo
audio
- Use audio devices
cdrom
- Use CD-ROM drives
cdwrite
- Burn CDs / DVDs
dialout
- Use modems. Full and direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc.
dip
- Connect to Internet using a modem. The group's name stands for "Dialup IP". Being in group dip allows you to use tools such as pppd, pon, and poff to make dialup connections to other systems using predefined configuration file(s) in the /etc/ppp/peers directory.
fax
- Send and receive faxes
floppy
- Use floppy drives
fuse
- Mount user-space filesystems (FUSE). Allows members to use the FUSE filesystem to mount removable media in their home folder without administrative privileges
lpadmin
- Configure printers. Allows a user to add, modify, and remove printers from foomatic, cups, and possibly other printer databases.
netdev
- Connect to wireless and ethernet networks. Special group used by internal communications services
plugdev
- Access external storage devices automatically. Members of this group can access removable devices in limited ways without explicit configuration in /etc/fstab. This is useful for local users who expect to be able to insert and use CDs, USB drives, and so on. Since pmount (the original implementor of group plugdev) always mounts with the nodev and nosuid options and applies other checks, this group is not intended to be root-equivalent in the ways that the ability to mount filesystems might ordinarily allow. Implementors of semantics involving this group should be careful not to allow root-equivalence.
powerdev
- Suspend and hibernate the computer
proc
- Access /proc filesystem
scanner
- Use scanners
tape
- Use tape drives
usb
- Use USB devices
vboxusers
- Use VirtualBox virtualization solution
video
- Use video devices
wheel
- Be able to get administrator privileges
sambashare
- Share files with the local network
A privilege is only listed if its correspondent group exists in the system. So the following does not show here since Ubuntu do not create them by default: cdwrite
, powerdev
, proc
, scanner
, usb
, video
and wheel
.
Groups vboxusers
(and perhaps sambashare
) are only created when you install that software, giving a false impression that this list is configurable and not hard coded.
Thats kinda weird, since I can use my CD/DVD Writer, USB ports, Hibernate, Audio and Video just fine. Maybe these are obsolete groups from Debian not used by Ubuntu? Well, then what is tape doing there?
Update: Video
groups seems related to using the framebuffer driver for direct video access and graphic modes. As it turns out, non-root users are not allowed to use video graphics, the Xorg X server is, and the Desktop Environment, such as Gnome/Unity/KDE, use the X server. As such, /usr/bin/X
is setuid as root.
I guess this is similar with usb
, cdrom
and other block devices: a regular user can only indirectly access those devices configured via udev
.
In your example you:
- Have the user
user1
as a part of the group user2
.
- Have the user
user2
as a part of the group admin
.
The user user1
is distinct from the group user1
.
Since (the user) user2
is a member of the admin
group, and (the user) user1
is a member of (the group) user2
- is user1
effectively an admin?
- No, the user
user2
is a member of the admin
group. Not the group user1
.
If the admin
group is in the sudoers file, can (the user) user2
use it as well?
- Yes, just as the other users which are members of the group, jim and bob.
If the admin group is in the sudoers file, can user1 use it as well?
- No, since the admin group only consists of users. It has the user
user2
in it. Even though the user user1
is part of the group user2
. They are different things, but share the same name in this and many distros setup. Groups on one side, users on the other. If the names match, they are still entierly different things.
To sum it up: Separate the user from the group. The names may be the same, but they refer to different entities. In GNU/Linux you do not have groups inside groups, a group can only contain users (which is different from say Windows).
Best Answer
A) Short answer
Default groups; say for user123, on fresh install - (use command
groups
in a terminal):Gives diff from 11.04 as
admin
is replaced bysudo
dialout
is removeddip
is added.To get/view defaults. Would probably work for various others too; do:
B) Restoring default groups
(Adding this to make it more complete)
1. Identifying the groups
I always set root password, but if you haven't use a live CD, live USB, other install etc. to get to the file.
If you have set root password (by i.e.):
and have lost
sudo
privileges do:Gives you i.e.
Or:
Which yields:
(No idea why
dip
suddenly has become a default group by install. Something to do withdialout
being removed?)2.a Updating groups - using "built-in" root access
So do, as root, to add groups to user, i.e. user
user123
:Where (Somewhat outdated on 12.10):
Some extras you might need: (check what you have by
root@YOURPC:~# id -nG user123
)If you want; double-check /etc/group , i.e. (here with some extras):
As an alternative one can boot in to rescue mode and
Log out and log in. Groups should be updated.
2.b Updating groups - using root access from Live-CD etc.
xxx
here is where your file-system is mounted when running a live edition, i.e./media/foo
.Manually edit the file
/xxx/etc/group
using vigr and add user as in previous listing.Or; only add user to sudo; as in:
Boot into your installation and update by executing the
usermod
command withsudo
:Log out and log in. Groups should be updated.
Double Note:
admin
is no longer part of Ubuntu as of 11.10 in favour ofsudo
.