Thanks for reporting this issue. Since you need to be root to create a new user, this can probably not be used directly as exploit. But I agree that creating a user "admin" should not create one that is in the admin group. So either removing this configuration line or create a admin group by default. In the latter case, adduser will fail to create a admin user.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1843829 Title: sudoers: admin group has permissions, but does not exist by default Status in sudo package in Ubuntu: Triaged Bug description: Hello I had reported this earlier but my account shows no bugs reported so here I try again. On Ubuntu going back for a while now and also including the newest release /etc/sudoers contains the below lines on a default install %admin ALL=(ALL) ALL The problem is that the admin group doesn't exist by default so if a user with the name of admin was created they would be in a group of their own name. It looks like you guys might be using an account named adm instead of admin? This is also causing other bugs to be reported. It may seem silly as adding a user requires elevated permissions. If someone doesn't know about this behaviour or a user is allowed to create an admin named account through a script they are just a short sudo su away from controlling a system. I'd recommend commenting out the /etc/sudoers line or adding an admin group to /etc/group or changing the admin in sudoers to adm if that is what you are trying to do. Aaron Ringo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1843829/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
