I've always found it bit weird and confusing that the first user created during installation by d-i is "special" and belongs to a number of groups that apparently are mostly unecessary in the modern world.
However, when you add a new user using the command line (useradd/adduser), or the GNOME settings panel, the newly created user does not belong to any additional groups, and still everything works fine (except audio in fast-user-switching use case, if the primary user is in the audio group). Why should the first user be treated differently anyway? If some groups are necessary for normal operation, shouldn't additional users also be included by default? If the first user is considered the primary owner of the computer and thus entitled to more permissions, that should be at least clearly documented. The merge request by Felipe Sateler removes most hardware access groups, but still leaves three groups: dip, debian-tor and lpadmin. Is the dip (dialup, ppp?) group relevant for most users? debian-tor is not included in default /etc/group, but maybe it works if the user installs tor from d-i? The purpose of these groups and the access they grant to the user is not clearly documented anywhere I could find. For example, the first user is in the video group by default, and according to https://wiki.debian.org/SystemGroups "This group can be used locally to give a set of users access to a video device (like the framebuffer, the videocard or a webcam)" What does it mean in practical terms, if I can access /dev/fb0 and /dev/dri/cardX? Can I snoop another user's screen while he is logged in?
