Ubuntu – Remove user from root group

rootUbuntuuser-management

Somehow I managed to add user Tom to root group in Ubuntu, in order to avoid using sudo everytime (bad decision). Now I want to remove it and I can't.

I've tried using 

usermod -G {groups} Tom

My /etc/sudoers file is the following:

Defaults        env_reset

root    ALL=(ALL) ALL

%sudo ALL=(ALL) ALL

%admin ALL=(ALL) ALL

Specifing all groups but root and no changes are made.
Any idea? Thanks

Best Answer

Edit: this answer has been heavily edited since the original version. The original was spread over a couple of updates, so this hopefully represents those collected into a logical summary)

short version: Looking at the output you provided, I don't think you have put Tom in the root group, I think you have changed the root users primary group to Tom.

Long Version:

The output that you provided was actually the user and group information for the root user, rather than the Tom user, however it is very useful as it exposes a problem for your system;

 # id
 uid=0(root) gid=1001(Tom)    
 grupos=0(root),1001(Tom),1002(subversion),117(nagios),1004(reweb)

This output indicates that there is a problem here which is that you have changed the root users primary group to Tom which is likely not what you had in mind uid=0(root) gid=1001(Tom); <--- this is bad. and is probably what is causing problems.

The consequence of this is that there might be loads of files around owned by group Tom like so, and these would appear in places like /var/log

rw------- 1 root Tom 332203 Feb 24 21:17 messages

This is because root creates many files for services running as root, and will create new files with the root user primary group which is now Tom. You can fix the root primary group problem with the following command;

# usermod -g root root

However this primary group problem might have had some odd effects such as leaving files everywhere in surprising places with group Tom because any files created by root will have Tom group permission.

Fixing permissions on files created with the Tom group is pretty easy if you can find them

Because of the root primary group problem mentioned above, you should fix these permissions by constructing a find / -group Tom type command to see where those files exist.

# find / -group Tom
/var/somepath/somefile.txtx
/var/somepath/somefile.txtx2

and fix those files up with something like;

chown :root /var/somepath/somefile.txtx2

if you don't care about resetting the Tom user files to root when they are outside the /home/Tom directory then you can just blast all the messed up group permissions back to root like so;

find / \( -type d -regex "/home/Tom" -prune \) -o -group Tom -print -exec chown :root {} \;

but I would look that command up before running it, in case it blatts your system....

Given what you have said, the following commands should fix both root and Tom to defaults with regards to primary groups;

make sure root has primary group root;

#usermod -g root root

make sure Tom has primary group Tom

# usermod -g Tom Tom

make sure Tom is not in the root group

# gpasswd -d Tom root
Removing user Tom from group root

make sure root is not in the Tom group

# gpasswd -d root Tom
gpasswd: unknown member root

If you wanted to prevent "Tom" from getting any admin rights, you could further check that "Tom" is not in the sudo or admin groups;

  # gpasswd -d Tom sudo
  # gpasswd -d Tom admin
Related Topic