On Thu, 27 Jul 2017 at 18:00:27 +0200, Michael Biebl wrote: > Granting root-like access via group sudo is intended and not a security > hole and the policykit policy is in line with the sudo policy here.
This is also as documented in base-passwd, which is the central authority on what the predefined groups in Debian mean: sudo Members of this group may run any command as any user when using sudo or pkexec (from the policykit-1 package, independently of whether the sudo package is installed). —/usr/share/doc/base-passwd/users-and-groups.txt.gz If you don't want a user to be root-equivalent, don't add them to the sudo group. Users who are meant to be able to run certain specific commands (but not others) via sudo should not be in that group; membership of that group is not required to use sudo. S