Skip to content
Hardcoding
  • Android
  • Java
  • Web
  • Talks
  • Other projects
search
Raspberry PI header

Enforcing security of your Raspberry PI user accounts

March 6, 2016July 7, 2016 PerfectSlayer Security

With the latest Raspberry PI zero and Raspberry PI 3,  there will be more and more Pi connected to the Internet. As Shodan lights us, there is about several thousands of Pi with Rasbian and SSH server enabled. Most of them still have the default pi user (and maybe some of them still have the default password…). And for those who don’t know, the pi user is allowed to sudo any command. If you planned the let your Raspberry Pi connected on the wild Internet, take some minutes to read this blog post to learn how to create a new and more secured user and remove the old pi one.

To create a new user, named bob for example, open a shell and type:

sudo adduser bob

This will create a new user and his home, /home/bob in this case. Note that the new user has no specific group and can’t run command as root. But the pi user will always be used to start GUI session. To start GUI with your new user, you need to edit the lightdm configuration file /etc/lightdm/lightdm.conf to change the default logged user:

autologin-user=bob

You may test it change by restarting lightdm service:

sudo service lightdm restart

But as non-privileged user, bob can’t power off or restart your PI. You need to add the new user to desktop policy file by editing the file /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf:

[Configuration]
AdminIdentities=unix-user:pi;unix-user:bob;unix-user:0

And you also need to run shutdown and reboot command as admin without validating password. To do that, you must configure sudoers, with visudo command for example, to append this line at the end of file:

bob ALL=(ALL) NOPASSWD:/sbin/shutdown,/sbin/reboot

You notice that pi user can run any command as root without asking password. May be it worth to take time later to fix it 😉 Once done, add bob user to sudo group by running the command:

sudo useradd -G sudo bob

You should now have a fully working new user bob which automatically logs in the graphical environment at boot. But what about the other consoles ? You might be aware of the virtual consoles (accessible throw ctrl+alt+f7 for example) on which pi user is logged at boot. If you plan to remove pi user, ensure you change the default user for those consoles by editing the autologin configuration file of virtual consoles /etc/systemd/system/autologin@service or removing it.

 

Tips: Think to check the groups of your new user. You added sudo but there is a lot a useful groups. Check the ones of pi user (with groups pi command) to be sure you will not miss one later.

account, pi, raspberry, raspberrypi, security, ssh, sshd, user

Post navigation

About me

avatar

Bruce Bujon
(PerfectSlayer)

  • French software architect,
  • Java developer,
  • Craftsmanship enthusiast,
  • And curious hacker.
More about me

Donations

Some of you ask it for years and it's now possible to buy me a drink for my contributions. Thanks a lot for your support!

  • Become a GitHub Sponsor
  • Donate on PayPay

Last tweets

PerfectSlayer@HardCoding·
15 May

I just published an AdAway update with preliminary support for Android 13 beta 🎉 https://github.com/AdAway/AdAway/releases/tag/v5.12.1

Reply on Twitter 1525740870187745281Retweet on Twitter 1525740870187745281Like on Twitter 15257408701877452813
PerfectSlayer@HardCoding·
26 Apr

Vous avez raté #DevoxxFR parce que c'était sold-out ? C'est le moment de vous rattraper avec #JavaDay : une journée consacrée au futur de #Java ! Et ça marche aussi pour ceux qui ont le #DevoxxBlues 😉

Reply on Twitter 1518969531837956096Retweet on Twitter 15189695318379560963Like on Twitter 15189695318379560961
PerfectSlayer@HardCoding·
26 Apr

LineageOS 19 announced! 🎉 With walleye and beryllium in the original build roaster, I can keep my dev devices up-to-date. Thanks a lot @LineageAndroid 👍 https://lineageos.org/Changelog-26/

Reply on Twitter 1518837585862447104Retweet on Twitter 1518837585862447104Like on Twitter 15188375858624471041
PerfectSlayer@HardCoding·
24 Apr

I just found out that #AdAway was downloaded more than 1M times from GitHub! 🎉 Considering less than 40% of users grab their releases from GH (about 55% are using F-Droid store) and past releases were one AndroidFileHost, it looks pretty good numbers 😊 https://github.com/AdAway/AdAway

Reply on Twitter 1518224164661960705Retweet on Twitter 15182241646619607051Like on Twitter 15182241646619607057
PerfectSlayer@HardCoding·
17 Apr

Did you also record all the footnotes?? I mean, it's one of the rare books I know that have more footnotes than pages! #AndroidsBook

Reply on Twitter 1515573040981098496Retweet on Twitter 1515573040981098496Like on Twitter 15155730409810984961

Categories

Android Cloud Firefox Hardware Security Software Subversion

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
MaterialWP by Brad Williams.