Raspberry Pi Default Groups

In setting up my Raspberry Pi for a home fileshare, I noticed the pi user is a part of several default groups. These are:

1pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi

(I’m using the 2017-09-07 image of Raspbian Stretch Lite.)

This looked like a lot of groups to me! To make sure my new user only has the minimum permissions needed, let’s look at the what each group is and why it’s there.

Group Descriptions

piUser-specific group. A group is automatically created for each new user; you can ignore this.
admAllows access to log files in /var/log and using xconsole
dialoutAllows access to serial ports/modem reconfiguration, etc.
cdromUncreatively, this group enables access to optical drives.
sudoEnables sudo access for the user.
audioAllows access to audio devices like microphones and soundcards
videoAllows graphics card/webcam access.
plugdevEnables access to external storage devices
gamesI’m unsure of this. No files belong to this group by default, and I cannot find references to it online.
usersAppears to be a Pi-specific group enabling access to /opt/vc/src/hello_pi/ directory and contained files.
inputAppears to give access to the /dev/input/mice folder and nothing else.
netdevEnables access to network interfaces
gpioPi-specific group for GPIO pin access.
i2cSimilar to the above, but for I2C access. Generated after installing i2c-tools.
spiSimilar to the above, but for the SPI bus.

So, based on my application (and future use of the Pi), I’m not adding the cdrom, games, and users groups to my new user.

Helpful Resources

The above descriptions were sourced based on the following: