Group 'admin' gid problem

Edward Lee tigerfishdaisy at gmail.com
Sat Jul 18 13:45:48 BST 2009 

Argh, I seemed to have trimmed off the rest of the message when I
replied.  Sorry about the confusion....

The issue was about a remote group/NIS issue.  I was complaining about
how the 'admin' group was not a 'shared' group, per se (GID<100), which
made it difficult to set up a remote group system and have common
administrators on all computers.  Any chance of moving the 'admin' group
to a GID < 100?

-Ed

> Edward Lee wrote:
> > > My issue with this is that the 'admin' group, which is used by
> sudo to
> > > control who can administer the system as root, is not one of those
> > > groups < 100.
> > 
> > But that's just a matter of configuration in the sudoers file. You
> could
> > reconfigure it to trust a fixed group of your choice as well /
> instead.
> Well, I just got back to my computer, and I tested out the gconf tool
> using your method.  Apparently, the gconf 'Admin authentication'
> option
> checks for membership in the 'admin' group, which means that this
> option
> won't work too well in the GNOME configuration tools.   
> -Ed
> > 
> > > BTW, why are there two 'administrator' groups -> 'adm' and
> 'admin'?
> > 
> > adm is not an administrator group per se - its purpose is to grant
> > read-only access to "administrative information" (i.e. /var/log/
> > logfiles) that otherwise only root has access to.
> > 
> > Max.
> > 

On Sat, 2009-07-18 at 21:59 +1200, Tim Frost wrote:
> On Fri, 2009-07-17 at 08:46 -0400, Edward Lee wrote:
> > Fair enough, and I just tried your solution.  The problem with it is
> > that some graphical elements of GNOME seem to depend on the user
> > being in the 'admin' group.  For example, the Main Menu tool only
> > shows/allows to be checked 'Add/Remove Programs' and 'Software Sources'
> > when the user is present in the 'admin' group.  It's not a showstopper,
> > but it's really annoying at times.
> > 
> Why? Ubuntu is set up so that the first user defined on a system is the
> (default) administrator of the system, and is a member of the admin
> group (among others). The tools that you cite are administrator tools,
> so should only be accessible to people who are designated as
> administrators, and so are members of the admin group.
> 
> Membership of the admin group, and of other special groups, should be
> decided on a per-system basis, rather than being granted globally.
> 
> If a user who is not an administrator of the system logs in, they should
> not be able to perform administrative tasks.  You seem to be complaining
> that this restriction is in force, when it is an explicit part of the
> Ubuntu philosophy.
> 
> For each machine, a concious decision needs to be made about who should
> be authorised to make changes that affect the system, such as installing
> or removing software.  For that reason, it makes sense that the default
> is to not make a person a member of the admin group.
> 
> 
> 
> > -Ed
> > 
> 
> Tim

More information about the ubuntu-devel mailing list