10

I'm pulling my hair out over this thing.

Using Raspberian here.

So I'm trying to restrict the Pi user from being able to use sudo without the root password. After heavy searching, I gave up on that, and now I'm trying to just disable all access to sudo. I can always just su - when needed, after all.

My current /etc/sudoers file looks like

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
#root   ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
# %sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Throughout my searches, I mostly found awnsers of removing or changing the Pi user's entry in the file. On my install, there never was an entry for Pi user, and it seems the permissions were instead inherited from the sudo group.

I've since commented out the sudo group from /etc/sudoers, and also removed the Pi user from said group.

pi@raspberrypi:~ $ groups pi
pi : pi adm dialout cdrom audio video plugdev games users input netdev spi i2c gpio

But still;

pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on raspberrypi:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on raspberrypi:
    (ALL) NOPASSWD: ALL

And displaying the issue;

pi@raspberrypi:~ $ ls /root/
ls: cannot open directory /root/: Permission denied
pi@raspberrypi:~ $ sudo ls /root/
Desktop  Documents  Downloads  Music  Pictures  Public  temp  Templates  Videos

How do I either require the root password for sudo, or just remove the Pi's access to it, if not through visudo?

daviddavidson
  • 101
  • 1
  • 1
  • 3
  • There is no root password (you can create one, but that is inadvisable, which is why Debian doesn't have one). Why do you want the pi user (who is a system Administrator) to be unable to do anything on the system? If you need restricted users, create them! – Milliways Nov 20 '16 at 05:44
  • I suppose I might be pulling more than I should from my Fedora experience (where root does have a password). In any case, the company I work for is using Pi's as media players, since a bit of Linux experience and the Pi becomes just as good as the several-hundred-dollar solutions we were using before. This means that the Pi user is always logged in with no lock screen. While there isn't really anything of concern saved directly to the Pi's themselves, and the whole premises is under constant surveillance anyway, it feels just wrong to leave a networked device unsecured in such a manner. – daviddavidson Nov 20 '16 at 06:20
  • You're taking the wrong approach to securing the devices from tampering. Raspbian is also not intended for your use-case. I'd suggest using archlinuxarm on your RasPi(s) and adding only the software you need to the devices. Then securing the much smaller attack surface. (I use attack surface for lack of a better word). --- Rasbian is designed to be as friendly as possible to someone who's never heard of Linux before or ever got into embedded devices. As such, you'll find many security issues when used in a production environment. – Hydranix Nov 20 '16 at 06:41

4 Answers4

16

Just remove the NOPASSWD from file /etc/sudoers.d/010_pi-nopasswd

Change it from :

pi ALL=(ALL) NOPASSWD: ALL

to :

pi ALL=(ALL) ALL
tlhIngan
  • 3,372
  • 5
  • 19
  • 33
Hani Shams
  • 261
  • 2
  • 3
  • 4
    Do remember to use visudo to edit the file (its -f option can be used to specify non-default file (the default is /etc/sudoers)) instead of the normal editor. visudo does some syntax checking before actually replacing the file you edit, saving you from headaches if you make a mistake. – Ruslan Jul 09 '17 at 08:01
  • 2
    Better solution is to remove the whole /etc/sudoers.d/010_pi-nopasswd file. – Paweł Bylica Oct 12 '17 at 10:29
  • I just discovered this this morning, very surprised that password-less default sudo to root is provided for such a seemingly innocuous sounding user account like 'pi'. Pawel, I would also recommend commenting the line out rather than removing the file since it could just be replaced when the package is updated. This is a security bug. – Steeve McCauley Nov 29 '17 at 11:45
5

One of the first things I do with Raspbian is just eliminate the pi user. I presume it was a decision with the primary use case for the OS being teaching grade school kids about computers and trying to make it easy for them -- and to the extent that it provides the opportunity to wreck things, there's an educational experience there. But it is a blatant security hole.

Anyway, having an /etc/sudoers with just those three Defaults and this:

root   ALL=(ALL:ALL) ALL

Left uncommented, reboot, should do it.

If not just use the root account (for which you have to first create a password) to userdel pi, make sure /home/pi is gone, create a new, normal, unprivileged user.

If you then need to do privileged things, log in via a console, or use use su (but not inside of X, there's some risks to that too).

goldilocks
  • 58,859
  • 17
  • 112
  • 227
  • That link just leads back here -- but I promise that's not true, as autologin was not invented for the Raspberry Pi (it's done via an agetty option, or for the GUI, lightdm configuration). However, you cannot easily enable/disable it using raspi-config except for the Pi user (that would not be hard to change though). – goldilocks Jan 02 '20 at 18:04
  • 1
    No, I haven't actually done it and I don't have any pi's here running a GUI to try it. I notice this mentions more config options than those (older) posts. – goldilocks Jan 07 '20 at 16:38
  • I just tried the directions in this page about LightDM options, which failed both for logging in a guest and a new user automatically. Is it because Raspbian by default uses PIXEL and not LightDM? – miguelmorin Jan 08 '20 at 19:48
  • 1
    A DM (display manager) and a DE (desktop environment) are two different kinds of animal (see wikipedia). Raspbian uses lightdm as the DM, and PIXEL (I think they've stopped calling it that, now it is just "the Raspbian desktop" or something) is the DE. You're not limited to that, BTW, you can use other things (and different users can use different DEs). You should really formalize this into a question and go into detail about what you mean by "failed", there may be a clue there. – goldilocks Jan 08 '20 at 21:40
  • I was editing the autologin options in the comments, before [Seat:*]. Now it works, thanks! Do you want to post an answer to this and this? I also suggest deleting all these comments, and I'll add one directing to one of those threads, unless you want to add it in the answer. – miguelmorin Jan 10 '20 at 12:00
  • 1
    This is why it is more efficient to just ask a question and include all the relevant details in that. Eg: Your last remark implies you edited the config and altered fields which were commented out, without realising they were commented out. Something which would have been obvious if you had posted a question including the relevant information. Even if that's not the issue, how I am to know now? I haven't seen your config and I don't know whether you understand some of the conventions (such as commenting) used in them. So it becomes a waste of time. Notice this is now a full week... – goldilocks Jan 10 '20 at 17:41
  • I agree on all counts and apologize. How would you like to proceed for these comments and those two open threads? – miguelmorin Jan 11 '20 at 20:30
  • The older one is not about autologin and all this isn't relevant to it, but if you want to write an answer for the other incorporating what you've found, please do! – goldilocks Jan 11 '20 at 20:38
1

There's 2 steps you need to do, removing the user from the "sudo" group and removing the special file in /etc/sudoers.d/ that also gives "pi" sudo permission. You need to run these commands as root (so you probably want to create a different user and add them to the sudo group before you disable sudo on the pi user)

  1. delgroup pi sudo
  2. rm /etc/sudoers.d/010_pi-nopasswd
Andrew Grafham
  • 11
  • 1
0

Try this approach instead:

Create a new highly limited user for using just the media player. (replace "guest" with whatever name you choose)

useradd -m -U guest

Set a password for this user (you will be prompted)

passwd guest

Or if you do not want to use a password with this user (disable password)

passwd -d guest

You should now be able to run the media player without guest having any sudo access. Further steps may be required to lock down the account, but without knowing your exact situation, I cannot advise further.

Hydranix
  • 226
  • 1
  • 5