July 7, 2019

Create a new sudo user on a Raspberry Pi

How to create a new superuser on Raspbian Buster and remove the default pi user

Create a new sudo user on a Raspberry Pi

Why would you ever want to do this?

Some people think that it's more secure - I don't.

Somebody once said "Security through obfuscation isn't security at all" (okay, so I got the quote wrong... it's actually "Security through obscurity" - which rhymes better.)

Anyways, I like to remove the original pi user because:

  • It personalizes my raspberry pi a bit - making your home directory a little bit more "homey" "homie" ..er home like.
  • It does make it easier to ssh into my pi from my dev box. So... ssh pi@uberbuilder.local becomes ssh uberbuilder.local I know, it's not that big of a deal, but I like it - it's cleaner.
  • It also makes me feel like my system is a little more secure when the super user isn't the default pi user. And then I go and blog about it... yeah. So there's that.
  • One of the benefits of this exercise is that this teaches you how to create new users and super users. If you have a multi-user box, than creating new users is as simple as repeating step 1.

You might have your own reasons why, or why not to do this. And I'd love to hear about it - let us know in the comments below.

Here's our goal:

  1. Create a user which behaves exactly like the default pi user - with sudo access and without having to type your password every time you run a sudo command.

note: Obviously you want to replace jeremy below with whatever username you'd like. I'm using this - because yeah, that's my name.

Also note: This has been tested in Rasbian Buster released on 2019-06-20


1. Create a new user with

sudo adduser jeremy
  • You will be asked to enter a password (twice)
  • Then it will ask you for information about the user (remember, this is from the days of unix) You can fill out anything you'd like or leave it blank.
sudo adduser jeremy
Adding user `jeremy' ...
Adding new group `jeremy' (1001) ...
Adding new user `jeremy' (1001) with group `jeremy' ...
jeremy ALL=(ALL) NOPASSWD: ALL
Creating home directory `/home/jeremy' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for jeremy
Enter the new value, or press ENTER for the default
  Full Name []: Jeremy Iglehart
  Room Number []:
  Work Phone []:
  Home Phone []:
  Other []:
Is the information correct? [Y/n] Y

2. Add your new user to sudo group

sudo adduser jeremy sudo
sudo adduser jeremy sudo
Adding user `jeremy' to group `sudo' ...
Adding user jeremy to group sudo
Done.

You can check it to be sure your new user is in the sudo group

grep -Po '^sudo.+:\K.*$' /etc/group
grep -Po '^sudo.+:\K.*$' /etc/group
pi,jeremy

For more information about checking for super users, I reccommend reading this stack exchange question.

2.5 Add your new user to all the same groups as the user pi

Update July 17th, 2019: So, I figured out later in order to have a completely equivolent user to the pi user you need to add your new username to a bunch more groups than just sudo.

I'll come back later and clean up this article to simply just include this in the above line when you're adding sudo - but for now, I'll put it here.

TODO: Clean up this article so that this is one step instead of two.

The pi user belongs to more groups that you need than just sudo:

groups pi
pi : pi adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio

Note: This was run on an updated Raspbian Buster on July 17th 2019 at 18:00 EDT - so these are all of the current groups as of today.

If you haven't already deleted the pi user you can use this script to automatically add your new user to all of the same groups as the pi user.

for GROUP in $(groups pi | sed -e 's/^pi : pi //'); do sudo adduser jeremy $GROUP; done

That groups pi | sed -e 's/^pi : pi //' line will simply print all the groups that the user pi is in. The sed part trims off the user and group pi since that is most likely going away in a little bit. Here's what it looks like run today:

groups pi | sed -e 's/^pi : pi //'
adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio

If you're like me and coming to this story late in the game and you've already deleted the pi user but need to add your new user to all of the groups the pi user is in - you can use this below line and trust that it's up to date at least as of today:

for GROUP in adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio; do sudo adduser jeremy $GROUP; done

If you really want to be sure that this is current - just go flash a latest version of Raspbian to a Micro SDHC - boot it up and run groups pi to confirm.

3. Add nopasswd rule for the new user

One of the nicest things about the pi user is that you don't have to type the sudo password in for every sudo command you run. Some people like this, some people don't. I won't get into the reasons for or against it here, but rather leave that up to your choice. Here's how you do it:

  1. Copy /etc/sudoers.d/010_pi-nopasswd to a new sudoers.d file:

    sudo cp /etc/sudoers.d/010_pi-nopasswd /etc/sudoers.d/010_jeremy-nopasswd
    
  2. Add write permissions (so that you can change the file)

    sudo chmod u+w /etc/sudoers.d/010_jeremy-nopasswd
    
  3. Change "pi" to "jeremy"

    sudo sed -i 's/pi/jeremy/g' /etc/sudoers.d/010_jeremy-nopasswd
    
  4. remove write permissions (should be 0440 or -r--r-----)

    sudo chmod u-w /etc/sudoers.d/010_jeremy-nopasswd
    
  5. Check the file to be sure it looks right

    sudo cat /etc/sudoers.d/010_jeremy-nopasswd
    

    It should look like this:

    jeremy ALL=(ALL) NOPASSWD: ALL
    

All together it will look like this:

sudo cp /etc/sudoers.d/010_pi-nopasswd /etc/sudoers.d/010_jeremy-nopasswd
sudo chmod u+w /etc/sudoers.d/010_jeremy-nopasswd
sudo sed -i 's/pi/jeremy/g' /etc/sudoers.d/010_jeremy-nopasswd
sudo chmod u-w /etc/sudoers.d/010_jeremy-nopasswd
sudo cat /etc/sudoers.d/010_jeremy-nopasswd
jeremy ALL=(ALL) NOPASSWD: ALL

4. Reboot

sudo reboot

This ensures that the pi user is fully logged out and has nothing left running. You won't be able to delete the user pi if the pi user still has any processes running.

5. Login as your new user

Now you're good to go! Happy hacking.

If you're like me, and you don't like having the pi user around - you can remove it now. Run both of these to remove the user and the sudoers.d file.

sudo deluser -remove-home pi
sudo rm -vf /etc/sudoers.d/010_pi-nopasswd
sudo deluser -remove-home pi
Looking for files to backup/remove ...
Removing files ...
Removing user `pi' ...
Warning: group `pi' has no more members.
Done.
sudo rm -vf /etc/sudoers.d/010_pi-nopasswd
removed '/etc/sudoers.d/010_pi-nopasswd'

If you try to do this before rebooting you will see something like this:

sudo deluser -remove-home pi
Looking for files to backup/remove ...
Removing files ...
sh: 0: getcwd() failed: No such file or directory
Removing user `pi' ...
Warning: group `pi' has no more members.
userdel: user pi is currently used by process 702
/usr/sbin/deluser: `/usr/sbin/userdel pi' returned error code 8. Exiting.

Done.

That's it - you're all set. Happy hacking!


Locale warning

note: on a fresh system where you haven't set any locale you will see this a lot:

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_CTYPE = "en_US.UTF-8",
	LANG = "en_GB.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_GB.UTF-8").

simply run

sudo raspi-config
  1. Choose option 4 Localization Options
  2. Choose option 1 Change Locale
  3. (hit okay) then select your locale - choose UTF-8 if you can.
  4. (hit okay) then select the .UTF-8 option here again.
  5. Profit.

After this, you shouldn't see this warning message anymore. Here are some screen shots:


Credit: https://raspi.tv/2012/how-to-create-a-new-user-on-raspberry-pi
So, I first tried a few things outlined in this article above and found out quickly that things have changed in Raspbian since this article has been written. The way Raspberry Pi is setting up the pi user is different in Raspbian Buster.

After some trial and error I ended up settling on the method I describe here in this gist. I'd still like to give credit to what got me started on this path though - because it guided me through the process.

Mario: Photo by Cláudio Luiz Castro on Unsplash
Super Mushroom: Photo by Geeky Shots on Unsplash