Is there ever a good reason to add users to the “root” group?
Unlike the root user, the root group does not bring any inherent powers or privileges. So any special permissions you get from group root are because of group permissions on files in the root group, or because of things like sudo that may be configured to give additional permissions.
At one time, the root group was used for sudo, and in many config files, this is still there in addition to the sudo group. Also, at the time, group 0 was called “wheel” rather than root. In the interests of clarity, I’ll call group root “wheel” from here forward, to distinguish it from user root.
The trend in Unix security has been to have system files with ownership root:wheel with the presumption that this ownership makes the files harder to corrupt (or leak). As such, the trend has been to move away from using wheel for anything else and to create special groups such as sudo to replace wheel, and further separate and dilute any possible extra permissions of wheel.
So the determination if it makes sense to add a user to wheel rests entirely on what additional access that would give. If they are already in the sudogroup, then they don’t need wheel to give access to that. Are there wheel files that have read or write access exclusive to wheel? Does the user in question need that, or would it be a problem if they had that?
For example, at one time, log files were only readable to root or wheel. The current trends, in trying to further separate that privilege, have changed the group of most log files to adm (or similar spelling), although there may still be some vestiges of log files in group wheel. Similar shifts have occurred in other areas to further dilute the permissions formerly covered by wheel.
Why would you need
wheel(oradm) permissions if you havesudoanyway?
The thought is that the less you use sudo, and the less you make it a habit to use sudo, the less chance there is to accidentally do something as root that should have been done as a user. So needing to use sudo to (for example) examine a log file or even use filename completion to get the log file name is inconvenient, and possibly dangerous. It could be construed as better to instead add the user to the group of the file (and its parent directory) instead.
