sudo is a command that allows users with appropriate permissions to take on another users or superuser (root) ID, so their permissions.
man sudo
DESCRIPTION
sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.
man su
NAME
su - change user ID or become superuser
man visudo
NAME
visudo ” edit the sudoers file
man adduser
NAME
adduser, addgroup - add a user or group to the system
At install, Mint sets up the installer's name account as a sudoer in the sudo group automatically, as does Raspian which uses a default account name of pi, as seen in each OS's /etc/group file:
cat /etc/group | grep sudo
sudo:x:27:stevee
cat /etc/group | grep sudo
sudo:x:27:pi
You can see these different user's group names, starting at 1000, also (a user has a default group of the same name unless you specify different at creation with useradd name --ingroup xxx) by looking at the /etc/group file for each OS, grepping for user accounts of 1000 and above. First Mint:
stevee@AMD ~ $ cat /etc/group | grep 100.:
stevee:x:1000:
then Raspian:
stevee@piblanc ~ $ cat /etc/group | grep 100.:
pi:x:1000:
indiecity:x:1001:root
stevee:x:1002:
For any linux OS, user/group root is always created first and has group number 0:
cat /etc/group | grep root
root:x:0:
Above, user pi is the first user account created by default at install in group 1000, but stevee was an name option during install for Mint, and that first user is added to the groups visible. Click group box for full view and see group stevee not included! Below for Mint:
Similar blanket coverage memberships are given to user pi also:
cat /etc/group | grep pi
adm:x:4:pi
dialout:x:20:pi
cdrom:x:24:pi
sudo:x:27:pi,stevee,joe,fred
audio:x:29:pi
video:x:44:pi,stevee,motion
plugdev:x:46:pi
games:x:60:pi
users:x:100:pi
pi:x:1000:
netdev:x:106:pi
input:x:999:pi
spi:x:998:pi
i2c:x:997:pi
gpio:x:996:pi
or for Raspbian and Mint resp.
id pi
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),
46(plugdev),60(games),100(users),106(netdev),999(input),998(spi),997(i2c),996(gpio)
id stevee
uid=1000(stevee) gid=1000(stevee) groups=1000(stevee),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),110(sambashare)
Both of these users have to have initial root powers via sudo to set anything up at the start including setting a new password for the root account itself don't forget to do it!!
sudo passwd root
For a user to be a sudoer the account has to be listed, or in an appropriate group, in the /etc/sudoers.tmp file accessible via:
sudo visudo
passwd...
There are subtle differences between the two OS's files at first:
For both systems, root is all powerful of course:
# User privilege specification
root ALL=(ALL:ALL) ALL
For Mint, a legacy %admin line exists but the group name admin does not - replaced by sudo since Ubuntu 12.04.
There is an "adm" group allowing members to view log files. You can get an idea of group function by finding what type of files each groups owns e.g.:
sudo find / -group adm
/var/log/mysql/error.log.3.gz
/var/log/mysql/error.log.5.gz
/var/log/mysql/error.log.2.gz
find: ˜/run/user/1000/gvfs,: Permission denied
There is a sudo group instead of admin for both later Mint and Raspbian versions:
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
For Raspbian:
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
#includedir /etc/sudoers.d
pi ALL=(ALL) NOPASSWD: ALL
You see both OS's visudo files achieve the same result - the first user accounts can gain root powers but by different means.
Mint automatically adds the installer to the sudo group requiring a password to achieve su;
Raspbian allows default user pi su powers via sudo group membership, but without needing a password due to the visudo file NOPASSWD addition.
This may have been decided by the Raspbian team to give Pi users instant update and admin ability whilst learning, not being stumped by passwords or how to change them.
So, no auth is required for user pi when he, for example does:
sudo apt-get update
Removing the NO from NOPASSWD text may be the first thing you want to change if you are in an insecure environment...If you do, now when pi tries an upgrade:
sudo apt-get upgrade
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for pi:
To view a user's permissions set in /etc/sudoers e.g:
sudo -l -U pi
[sudo] password for stevee:
Matching Defaults entries for pi on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User pi may run the following commands on this host:
(ALL : ALL) ALL
(ALL) PASSWD: ALL
So, if you wish to allow new users sudo powers, you have different options available to you, for both systems.
For example, you could add a user to the sudo group in Mint, as your installer did, but that grants equivalent powers as you, (which you probably won't want in reality, system requirements depending...):
sudo adduser joe --ingroup sudo
Adding user `joe' ...
Or, if user joe already exists, add to existing group sudo by:
sudo adduser joe sudo
Adding user `joe' to group `sudo' ...
Adding user joe to group sudo
Done.
NOTICE here though, that adding user joe to the sudo group, he does not have to use passwd auth to check with Apt for mint updates, as was an option for all users at install, but WILL need to auth to install them.
sudo -l -U joe
Matching Defaults entries for joe on dellmint:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User joe may run the following commands on dellmint:
(ALL : ALL) ALL
(root) NOPASSWD: /usr/lib/linuxmint/mintUpdate/checkAPT.py
Or if the account exists already add the name to the visudo file, as user pi is.
#includedir /etc/sudoers.d
pi ALL=(ALL) PASSWD: ALL
If a user is not in the sudoer's file, and attempts sudo, a warning is issued:
[sudo] password for fred:
fred is not in the sudoers file. This incident will be reported.
Just adding his name is enough to allow him su with password auth:
fred ALL=(ALL) PASSWD: ALL
Notice that he is not added to the sudo group just by this visudo file entry! Now though, he can just add himself:
cat /etc/group | grep sudo
sudo:x:27:pi,stevee,joe
cat /etc/group | grep fred
fred:x:1004:
sudo adduser fred sudo
Adding user `fred' to group `sudo' ...
Adding user fred to group sudo
Done.
cat /etc/group | grep sudo
sudo:x:27:pi,stevee,joe,fred
The files that visudo edits are, from the man page:
FILES
/etc/sudoers List of who can run what
/etc/sudoers.tmp Lock file for visudo
sudo vi /etc/sudoers.d/README
# Finally, please note that using the visudo command is the recommended way
# to update sudoers content, since it protects against many failure modes.
# See the man page for visudo for more information.
For people familiar with Access Control Lists, you can see by reading man sudoers that /etc/sudoers is just that, as you can restrict individual users/groups to specific function only, or leave wide open as are the default sudo members.
Re the GUI above, and a user not showing in his own group list, it means that if you add a user using adduser name --ingroup xxx to another group (so is NOT the user's name) it won't be apparent what his group is in this GUI or grepped from /etc/group; only from the /etc/passwd file.
sudo adduser bill --ingroup audio
Adding user `bill' ...
Adding new user `bill' (1001) with group `audio' ...
cat /etc/group | grep 100.:
stevee:x:1000:stevee
cat /etc/passwd | grep 100.:
stevee:x:1000:1000:stevee,,,:/home/stevee:/bin/bash
bill:x:1001:29:,,,:/home/bill:/bin/bash