Skip to content
Hardcoding
  • Android
  • Java
  • Web
  • Talks
  • Other projects
search
Raspberry PI header

Enforcing security of your Raspberry PI user accounts

March 6, 2016July 7, 2016 PerfectSlayer Security

With the latest Raspberry PI zero and Raspberry PI 3,  there will be more and more Pi connected to the Internet. As Shodan lights us, there is about several thousands of Pi with Rasbian and SSH server enabled. Most of them still have the default pi user (and maybe some of them still have the default password…). And for those who don’t know, the pi user is allowed to sudo any command. If you planned the let your Raspberry Pi connected on the wild Internet, take some minutes to read this blog post to learn how to create a new and more secured user and remove the old pi one.

To create a new user, named bob for example, open a shell and type:

sudo adduser bob

This will create a new user and his home, /home/bob in this case. Note that the new user has no specific group and can’t run command as root. But the pi user will always be used to start GUI session. To start GUI with your new user, you need to edit the lightdm configuration file /etc/lightdm/lightdm.conf to change the default logged user:

autologin-user=bob

You may test it change by restarting lightdm service:

sudo service lightdm restart

But as non-privileged user, bob can’t power off or restart your PI. You need to add the new user to desktop policy file by editing the file /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf:

[Configuration]
AdminIdentities=unix-user:pi;unix-user:bob;unix-user:0

And you also need to run shutdown and reboot command as admin without validating password. To do that, you must configure sudoers, with visudo command for example, to append this line at the end of file:

bob ALL=(ALL) NOPASSWD:/sbin/shutdown,/sbin/reboot

You notice that pi user can run any command as root without asking password. May be it worth to take time later to fix it 😉 Once done, add bob user to sudo group by running the command:

sudo useradd -G sudo bob

You should now have a fully working new user bob which automatically logs in the graphical environment at boot. But what about the other consoles ? You might be aware of the virtual consoles (accessible throw ctrl+alt+f7 for example) on which pi user is logged at boot. If you plan to remove pi user, ensure you change the default user for those consoles by editing the autologin configuration file of virtual consoles /etc/systemd/system/autologin@service or removing it.

 

Tips: Think to check the groups of your new user. You added sudo but there is a lot a useful groups. Check the ones of pi user (with groups pi command) to be sure you will not miss one later.

account, pi, raspberry, raspberrypi, security, ssh, sshd, user

Post navigation

About me

avatar

Bruce BUJON
(PerfectSlayer)

  • French software architect,
  • Java developer,
  • Craftsmanship enthusiast,
  • And curious hacker.
More about me

Donations

Some of you ask it for years and it's now possible to buy me a beer coffee for my contributions. Thanks you a lot!

  • BTC
    1Cm1df83VCdpzBCSiqBRZzE5oMuLhkQdFF
  • BCH
    14p5DVsfhxWTdGgZXs5sm8bDpQYgDfeT6V
  • PayPal https://www.paypal.me/BruceBUJON

Last tweets

PerfectSlayer@HardCoding·
16h

Just a quick notice for rooted #AdAway users if you encounter issues with systemless magisk module ☺️

Reply on Twitter 1350034609451503616Retweet on Twitter 1350034609451503616Like on Twitter 13500346094515036162
PerfectSlayer@HardCoding·
3 Jan

New year, new version! 🎉 I just released #AdAway 5.2.0. Enjoy ad-free and privacy friendly device 😊

https://forum.xda-developers.com/t/app-root-nonroot-official-adaway-v5-1-0.2190753/page-785#post-84218723

Reply on Twitter 1345709067822657536Retweet on Twitter 1345709067822657536Like on Twitter 13457090678226575366
PerfectSlayer@HardCoding·
1 Jan

I wish you all a happy new year with less ads and more privacy 😉🎉

Reply on Twitter 1344936339511402497Retweet on Twitter 1344936339511402497Like on Twitter 134493633951140249710
PerfectSlayer@HardCoding·
24 Dec

Bring Java 15+ support. I mean how I am supposed to "built modern application" with old stuff.. 🤦‍♂️ (and no, kotlin is not the answer)

Reply on Twitter 1342197616801689606Retweet on Twitter 1342197616801689606Like on Twitter 13421976168016896061
PerfectSlayer@HardCoding·
23 Dec

What's better than having good times with its family during Christmas holidays? 🎄 Certainly not rewriting the web server for the latest mongoose version... 😑 But it's done nonetheless! #AdAway

https://github.com/AdAway/AdAway/commit/e2d3254171d5d5b620ad27beaf7f702fc2d8dc39

Reply on Twitter 1341866726640771075Retweet on Twitter 1341866726640771075Like on Twitter 13418667266407710756

Categories

Android Cloud Firefox Hardware Security Software Subversion

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
MaterialWP by Brad Williams.