root group is irrelevant here, and should not be used to enforce ACLs. On Ubuntu, root user is disabled by default. Instead, regular user accounts are treated as admin accounts if they have the permission to `sudo` into root. This is done, by default, by adding user accounts to `sudo` group. This is also what gnome account services / policykit / etc use to determine `who is admin`.
E.g. in gnome-settings on Ubuntu, one can toggle user accounts between normal and administrator, which removes/adds sudo group to a given account. Policykit does correct authentication to execute this action. Accounts in `sudo` group can execute it directly, otherwise a policykit popup appears listing all existing `sudo` group members and asking to authenticate as one of those people. I have just tested that this all works correctly on cosmic. So, if you don't expect this behaviour on this particular account, `sudo` group is the one to remove. But note that is the same group that makes `sudo -i` work, so please don't lock yourself out if that's the only sudo capable account! Thus everything works as expected, and administrator accounts can do the same action (with less validation) via `sudo nano /etc/default/locale`. ** Changed in: systemd (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1800297 Title: localectl updates /etc/default/locale without root privileges To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1800297/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs