Group 'admin' gid problem

[Colin Watson]

On Thu, Jul 16, 2009 at 05:04:49PM -0400, Edward Lee wrote:
> My issue with this is that the 'admin' group, which is used by sudo to
> control who can administer the system as root, is not one of those
> groups < 100.
> 
> As a system administrator, it is nice to be able to set groups on the
> server and not have to worry about anything on the client computers.
> 
> Is it possible to move the 'admin' group to a GID less than 100 so we
> don't have these problems [either export all groups=>bad bugs, don't
> export=>more work] (like the 'adm' group is right now @ GID 4)?

This is a bit technically and politically difficult. Group IDs less than
100, called "global static IDs", are maintained in a static list in the
base-passwd package, and are identical between Debian and Ubuntu (this
is a constraint I impose as base-passwd maintainer in both
distributions, but I think it's necessary for everyone's sanity - it
would be very bad if there were an ID clash there, and very hard to
recover from). Debian doesn't use the 'admin' group so I think this
would be a controversial change, though.

I'll try to remember to bring it up with some relevant people at the
upcoming Debian conference.

I wouldn't hold your breath for a quick solution to this, though. I
think it'd be much more realistic to try to work around this by
exporting individually-named groups, though.

> BTW, why are there two 'administrator' groups -> 'adm' and 'admin'?

adm has historically really meant "system monitoring" - you get to read
log files and such. We didn't think it was appropriate to overload that
with sudo access.

-- 
Colin Watson                                       [cjwatson at ubuntu.com]