@vorlon on the question of where it's added by default, that's in the cloud-init default configuration which lives in /etc/cloud/cloud.cfg and contains the following stanza (redacted for brevity):
I'd echo xnox's point that as the user is being added to adm and sudo, I don't think there's any particular security concern here.
On the subject of choice of groups, it would be nice to echo raspios' setup which is to use a "gpio" group to permit access to the GPIO related devices (/dev/gpiomem, /dev/gpiochip*), an "spi" group for the SPI buses (/dev/spidev*), and an "i2c" group for the I2C buses (/dev/i2c-*).
However, I ran out of time to go fiddling with defining new groups and ensuring the default user is in all those new groups on both the desktop and server images. Upstream in Debian (and hence in Ubuntu), "dialout" is already used for GPIO access (which makes sense given the serial pins are part of the GPIO header, just like SPI and I2C), and (as noted above) we already add the user to this group on the server image, so it seems a reasonable approach to achieve the ultimate goal of providing the default user access to the GPIO header without having to jump to root to do so.
And just to answer @xnox's query as to what exactly this is for, it's access to the GPIO header as a whole, including i2c, gpiomem (although ideally gpiochip* actually as that's the preferred device to use for GPIO access now), etc. just in case that's not clear from the above.
@vorlon on the question of where it's added by default, that's in the cloud-init default configuration which lives in /etc/cloud/ cloud.cfg and contains the following stanza (redacted for brevity):
system_info:
...
default_user:
...
groups: [adm, audio, cdrom, dialout, dip, floppy, lxd, netdev, plugdev, sudo, video]
I'd echo xnox's point that as the user is being added to adm and sudo, I don't think there's any particular security concern here.
On the subject of choice of groups, it would be nice to echo raspios' setup which is to use a "gpio" group to permit access to the GPIO related devices (/dev/gpiomem, /dev/gpiochip*), an "spi" group for the SPI buses (/dev/spidev*), and an "i2c" group for the I2C buses (/dev/i2c-*).
However, I ran out of time to go fiddling with defining new groups and ensuring the default user is in all those new groups on both the desktop and server images. Upstream in Debian (and hence in Ubuntu), "dialout" is already used for GPIO access (which makes sense given the serial pins are part of the GPIO header, just like SPI and I2C), and (as noted above) we already add the user to this group on the server image, so it seems a reasonable approach to achieve the ultimate goal of providing the default user access to the GPIO header without having to jump to root to do so.
And just to answer @xnox's query as to what exactly this is for, it's access to the GPIO header as a whole, including i2c, gpiomem (although ideally gpiochip* actually as that's the preferred device to use for GPIO access now), etc. just in case that's not clear from the above.