Ubuntu Wiki

This page is a work in progress.

Matrix

1. In a default Desktop installation, the first user on the system is considered an administrator, and as of Ubuntu 10.04 LTS is a member of the following groups: adm, dialout, cdrom, plugdev, lpadmin, admin, sambashare

Access external storage devices

This right is gained by adding the user to the "plugdev" group.

Users in the "plugdev" group can send commands to HAL (this is probably deprecated). (Ref.: /etc/dbus-1/system.d/hal.conf)

TODO: See what else "plugdev" can do, and how it restricts access to the storage devices.

Access internal storage devices

This right is gained by adding the user to the "admin" group.

Users in the "admin" group can access internal storage devices. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla)

Administer the system

This right is gained by adding the user to the "admin" group.

Users in the "admin" group can use sudo to gain administrative privileges after supplying their password. (Ref.: /etc/sudoers)

The "admin" group is configured to be the PolicyKit "administrator authentication" group. (Ref.: /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf)

Use sudo to administer the system

This right is gained by adding the user to the "admin" group.

Users in the "admin" group can use sudo to gain administrative privileges after supplying their password. (Ref.: /etc/sudoers)

Beginning with Ubuntu 10.04 LTS, this right can also be granted by adding the user to the "sudo" group for compatibility reasons with Debian.

Configure printers

This right is gained by adding the user to the "lpadmin" group.

Cups contains a setting called "SystemGroup" in the /etc/cusp/cupsd.conf that specifies who is allowed to manage printers. By default, it is set to "lpadmin".

Connect to the Internet using a modem

This right is gained by adding the user to the "dip" group.

The "dip" group can launch pppd and access ppp configuration files in /etc.

Connect to wireless and ethernet networks

This right is gained by adding the user to the "netdev" group.

On Debian, the "netdev" group gains access to using Network Manager. On Ubuntu, Network Manager access rights are gained by being at the system console, so the name of this entry in gnome-system-tools is misleading.

The "netdev" group can administer wicd and wpasupplicant.

The "netdev" group can set the avahi host name using DBus.

The "netdev" group can administer Bluetooth devices.

Monitor system logs

This right is gained by adding the user to the "adm" group.

The "adm" group has access to most of the log files in /var/log, although a lot of them are readable by everyone.

Mount user-space filesystems (FUSE)

This right is gained by adding the user to the "fuse" group.

The "fuse" group can access the /dev/fuse device, but so can everyone else.

The "fuse" group can read the /etc/fuse.conf file.

TODO: See how the "fuse" group gains access to mount FUSE filesystems. (Is this enforced?)

Send and receive faxes

This right is gained by adding the user to the "fax" group.

Share files with the local network

This right is gained by adding the user to the "sambashare" group.

The "sambashare" group can access the /var/lib/samba/usershares directory.

Use audio devices

This right is gained by adding the user to the "audio" group.

TODO: The "audio" group owns some of the audio devices in /dev, but it's unclear what rights this gains.

Use CD-ROM drives

This right is gained by adding the user to the "cdrom" group.

The "cdrom" group owns the CD-ROM devices in /dev.

TODO: It appears the devices also have extended attributes. Investigate.

Use floppy drives

This right is gained by adding the user to the "floppy" group.

Use modems

This right is gained by adding the user to the "dialout" group.

The "dialout" group owns the /dev/ttyS* devices and can read the /etc/wvdial.conf file.

Use tape drives

This right is gained by adding the user to the "tape" group.

Use video devices

This right is gained by adding the user to the "video" group.

The "video" group can access /dev/fb0.

Use Bluetooth devices

All users at the console can talk to Bluetooth devices using DBus. (Ref.: /etc/dbus-1/system.d/bluetooth.conf)

Use VirtualBox virtualization solution

This right is gained by adding the user to the "vboxusers" group.

Use Checkbox

All users at the console can talk to the Checkbox backend using DBus. (Ref.: /etc/dbus-1/system.d/com.ubuntu.checkbox.conf)

Communicate with HAL (deprecated?)

All users at the console can communicate with the HAL daemon using DBus. Is this deprecated? (Ref.: /etc/dbus-1/system.d/hal.conf)

Use Network Manager

All users at the console can manage Ethernet, wireless and 3G networks using Network Manager via DBus. (Ref.: /etc/dbus-1/system.d/NetworkManager.conf, /etc/dbus-1/system.d/nm-applet.conf)

Check for new printers

All users at the console can check for new printers by communicating with hplip using DBus. (Ref.: /etc/dbus-1/system.d/newprinternotification.conf)

Install new software

This right is gained by adding the user to the "admin" group.

The user must type in his password before installing new software.

TODO: detail how software installing works for the different front-ends.

Install security updates

This right is gained by adding the user to the "admin" group.

The user must type in his password before installing security updates.

TODO: detail how security update installation works for the different front-ends.

Install software updates

This right is gained by adding the user to the "admin" group.

The user must type in his password before installing software updates.

TODO: detail how software update installing works for the different front-ends.

Change CPU frequency scaling

This right is gained by adding the user to the "admin" group. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla)

Change the system clock

This right is gained by adding the user to the "admin" group. (Ref.: /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla)