Adding a user to sudo group vs creating a sudoers file

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












What is the practical difference between:




  • adding a user to sudo (Debian) or wheel (RHEL) group



    sudo usermod -aG sudo/wheel <username>


vs




  • creating a file named username with the following contents in /etc/sudoers.d/



    username ALL=(ALL:ALL) ALL










share|improve this question

























    up vote
    1
    down vote

    favorite












    What is the practical difference between:




    • adding a user to sudo (Debian) or wheel (RHEL) group



      sudo usermod -aG sudo/wheel <username>


    vs




    • creating a file named username with the following contents in /etc/sudoers.d/



      username ALL=(ALL:ALL) ALL










    share|improve this question























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      What is the practical difference between:




      • adding a user to sudo (Debian) or wheel (RHEL) group



        sudo usermod -aG sudo/wheel <username>


      vs




      • creating a file named username with the following contents in /etc/sudoers.d/



        username ALL=(ALL:ALL) ALL










      share|improve this question













      What is the practical difference between:




      • adding a user to sudo (Debian) or wheel (RHEL) group



        sudo usermod -aG sudo/wheel <username>


      vs




      • creating a file named username with the following contents in /etc/sudoers.d/



        username ALL=(ALL:ALL) ALL







      sudo






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 12 mins ago









      pkaramol

      415213




      415213




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          0
          down vote













          The only practical difference that I can see is in the situation where the sudoers file is a standard that is shared (deployed) amongst different machines. (And the user/group database is for some reason not shared. An unlikely situation, IMO.)



          In this instance the user added to the sudo/wheel group will be able to execute any command as any user only on that machine, whereas the the user with an explicit entry in the sudoers file will be able to execute any command as any user on every machine.





          share




















          • we could combine our answers into a SuperAnswer! if you want ot copy/paste mine into yours as an edit, i'll cheerfully delete mine.
            – ivanivan
            5 mins ago

















          up vote
          0
          down vote













          Effective difference? Not much. Biggest I can think of is that by adding the user to the sudoers group (or whatever group is needed) the user needs to log out/in or use newgrp to really become a member of that group and be able to sudo, whereas a file under /etc/sudoers.d/ wouldn't require that extra step.



          Long term maintenance, etc. with more than just one user involved... the group membership may be "better" - it really comes down to work flow, etc. at that point and it rapidly moves this question even further into that grey murky area known as "opinion based answers". Obviously there may be some technical reasons behind choosing one over the other (ie, for the www-user to sudo and you don't want to or can't start/stop the webserver) but "which is better" is almost always opinion and situation based.





          share




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f476416%2fadding-a-user-to-sudo-group-vs-creating-a-sudoers-file%23new-answer', 'question_page');

            );

            Post as a guest






























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            The only practical difference that I can see is in the situation where the sudoers file is a standard that is shared (deployed) amongst different machines. (And the user/group database is for some reason not shared. An unlikely situation, IMO.)



            In this instance the user added to the sudo/wheel group will be able to execute any command as any user only on that machine, whereas the the user with an explicit entry in the sudoers file will be able to execute any command as any user on every machine.





            share




















            • we could combine our answers into a SuperAnswer! if you want ot copy/paste mine into yours as an edit, i'll cheerfully delete mine.
              – ivanivan
              5 mins ago














            up vote
            0
            down vote













            The only practical difference that I can see is in the situation where the sudoers file is a standard that is shared (deployed) amongst different machines. (And the user/group database is for some reason not shared. An unlikely situation, IMO.)



            In this instance the user added to the sudo/wheel group will be able to execute any command as any user only on that machine, whereas the the user with an explicit entry in the sudoers file will be able to execute any command as any user on every machine.





            share




















            • we could combine our answers into a SuperAnswer! if you want ot copy/paste mine into yours as an edit, i'll cheerfully delete mine.
              – ivanivan
              5 mins ago












            up vote
            0
            down vote










            up vote
            0
            down vote









            The only practical difference that I can see is in the situation where the sudoers file is a standard that is shared (deployed) amongst different machines. (And the user/group database is for some reason not shared. An unlikely situation, IMO.)



            In this instance the user added to the sudo/wheel group will be able to execute any command as any user only on that machine, whereas the the user with an explicit entry in the sudoers file will be able to execute any command as any user on every machine.





            share












            The only practical difference that I can see is in the situation where the sudoers file is a standard that is shared (deployed) amongst different machines. (And the user/group database is for some reason not shared. An unlikely situation, IMO.)



            In this instance the user added to the sudo/wheel group will be able to execute any command as any user only on that machine, whereas the the user with an explicit entry in the sudoers file will be able to execute any command as any user on every machine.






            share











            share


            share










            answered 7 mins ago









            roaima

            41.2k547112




            41.2k547112











            • we could combine our answers into a SuperAnswer! if you want ot copy/paste mine into yours as an edit, i'll cheerfully delete mine.
              – ivanivan
              5 mins ago
















            • we could combine our answers into a SuperAnswer! if you want ot copy/paste mine into yours as an edit, i'll cheerfully delete mine.
              – ivanivan
              5 mins ago















            we could combine our answers into a SuperAnswer! if you want ot copy/paste mine into yours as an edit, i'll cheerfully delete mine.
            – ivanivan
            5 mins ago




            we could combine our answers into a SuperAnswer! if you want ot copy/paste mine into yours as an edit, i'll cheerfully delete mine.
            – ivanivan
            5 mins ago












            up vote
            0
            down vote













            Effective difference? Not much. Biggest I can think of is that by adding the user to the sudoers group (or whatever group is needed) the user needs to log out/in or use newgrp to really become a member of that group and be able to sudo, whereas a file under /etc/sudoers.d/ wouldn't require that extra step.



            Long term maintenance, etc. with more than just one user involved... the group membership may be "better" - it really comes down to work flow, etc. at that point and it rapidly moves this question even further into that grey murky area known as "opinion based answers". Obviously there may be some technical reasons behind choosing one over the other (ie, for the www-user to sudo and you don't want to or can't start/stop the webserver) but "which is better" is almost always opinion and situation based.





            share
























              up vote
              0
              down vote













              Effective difference? Not much. Biggest I can think of is that by adding the user to the sudoers group (or whatever group is needed) the user needs to log out/in or use newgrp to really become a member of that group and be able to sudo, whereas a file under /etc/sudoers.d/ wouldn't require that extra step.



              Long term maintenance, etc. with more than just one user involved... the group membership may be "better" - it really comes down to work flow, etc. at that point and it rapidly moves this question even further into that grey murky area known as "opinion based answers". Obviously there may be some technical reasons behind choosing one over the other (ie, for the www-user to sudo and you don't want to or can't start/stop the webserver) but "which is better" is almost always opinion and situation based.





              share






















                up vote
                0
                down vote










                up vote
                0
                down vote









                Effective difference? Not much. Biggest I can think of is that by adding the user to the sudoers group (or whatever group is needed) the user needs to log out/in or use newgrp to really become a member of that group and be able to sudo, whereas a file under /etc/sudoers.d/ wouldn't require that extra step.



                Long term maintenance, etc. with more than just one user involved... the group membership may be "better" - it really comes down to work flow, etc. at that point and it rapidly moves this question even further into that grey murky area known as "opinion based answers". Obviously there may be some technical reasons behind choosing one over the other (ie, for the www-user to sudo and you don't want to or can't start/stop the webserver) but "which is better" is almost always opinion and situation based.





                share












                Effective difference? Not much. Biggest I can think of is that by adding the user to the sudoers group (or whatever group is needed) the user needs to log out/in or use newgrp to really become a member of that group and be able to sudo, whereas a file under /etc/sudoers.d/ wouldn't require that extra step.



                Long term maintenance, etc. with more than just one user involved... the group membership may be "better" - it really comes down to work flow, etc. at that point and it rapidly moves this question even further into that grey murky area known as "opinion based answers". Obviously there may be some technical reasons behind choosing one over the other (ie, for the www-user to sudo and you don't want to or can't start/stop the webserver) but "which is better" is almost always opinion and situation based.






                share











                share


                share










                answered 6 mins ago









                ivanivan

                3,2261314




                3,2261314



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f476416%2fadding-a-user-to-sudo-group-vs-creating-a-sudoers-file%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?