1

I would like to run a command with temporary group membership but it seems that I don't have permission to do that. As an example, if I run sudo -g internet ls, I get the message Sorry, user rudivonstaden is not allowed to execute '/bin/ls' as rudivonstaden:internet on rudivonstaden-desktop.

In my limited understanding, this should be governed by the /etc/sudoers file, potentially modified by files in /etc/sudoers.d. The latter folder only contains the README file, and the sudoers file has the following:

root    ALL=(ALL:ALL) ALL
%sudo   ALL=(ALL:ALL) ALL

As far as I can tell, that should allow any sudo user to run any file as any group using the -g option. Is there a bug somewhere, or am I missing something?

Braiam
  • 66,947
  • 30
  • 177
  • 264
rudivonstaden
  • 539
  • 1
  • 6
  • 15

1 Answers1

4

I managed to get it working by editing my /etc/sudoers file (with sudo vimsudo), and changing the admin group permissions from

%admin ALL=(ALL) ALL

to

%admin ALL=(ALL:ALL) ALL

The sudo group is a bit of a red herring on Ubuntu, it's actually the admin group that defines sudo permissions. See this question for more on how Ubuntu uses the admin and sudo groups.

Community
  • 1
rudivonstaden
  • 539
  • 1
  • 6
  • 15
  • 1
    The accepted answer to [that question](http://askubuntu.com/questions/43317/what-is-the-difference-between-the-sudo-and-admin-group) is not correct anymore. As of Ubuntu 12.04, `sudo` is the main administrative group. If an earlier release is upgraded to 12.04, it will retain the `admin` group, and the `admin` group will still have its power, but that's for backward compatibility. – Eliah Kagan Jul 12 '12 at 17:22
  • On archlinux, you may want to use `wheel` instead. To allow a specific user passwordless access to a specific group, add a line like `thomas ALL=(thomas:vpn) NOPASSWD: ALL`. – Thomas G. Dec 30 '16 at 11:17