With the latest Raspberry PI zero and Raspberry PI 3, there will be more and more Pi connected to the Internet. As Shodan lights us, there is about several thousands of Pi with Rasbian and SSH server enabled. Most of them still have the default pi user (and maybe some of them still have the default password…). And for those who don’t know, the pi user is allowed to sudo any command. If you planned the let your Raspberry Pi connected on the wild Internet, take some minutes to read this blog post to learn how to create a new and more secured user and remove the old pi one.
To create a new user, named bob for example, open a shell and type:
sudo adduser bob
This will create a new user and his home, /home/bob in this case. Note that the new user has no specific group and can’t run command as root. But the pi user will always be used to start GUI session. To start GUI with your new user, you need to edit the lightdm configuration file
/etc/lightdm/lightdm.conf to change the default logged user:
You may test it change by restarting lightdm service:
sudo service lightdm restart
But as non-privileged user, bob can’t power off or restart your PI. You need to add the new user to desktop policy file by editing the file
And you also need to run shutdown and reboot command as admin without validating password. To do that, you must configure sudoers, with
visudo command for example, to append this line at the end of file:
bob ALL=(ALL) NOPASSWD:/sbin/shutdown,/sbin/reboot
You notice that pi user can run any command as root without asking password. May be it worth to take time later to fix it 😉 Once done, add bob user to sudo group by running the command:
sudo useradd -G sudo bob
You should now have a fully working new user bob which automatically logs in the graphical environment at boot. But what about the other consoles ? You might be aware of the virtual consoles (accessible throw
ctrl+alt+f7 for example) on which pi user is logged at boot. If you plan to remove pi user, ensure you change the default user for those consoles by editing the autologin configuration file of virtual consoles
/etc/systemd/system/autologin@service or removing it.
Tips: Think to check the groups of your new user. You added sudo but there is a lot a useful groups. Check the ones of pi user (with
groups pi command) to be sure you will not miss one later.