Running Ghost and NGINX on Docker running on a Raspberry Pi
Why would you ever want to do this?
Some people think that it's more secure - I don't.
Somebody once said "Security through obfuscation isn't security at all" (okay, so I got the quote wrong... it's actually "Security through obscurity" - which rhymes better.)
Anyways, I like to remove the original pi user because:
- It personalizes my raspberry pi a bit - making your home directory a little bit more
"homey" "homie"..er home like.
- It does make it easier to ssh into my pi from my dev box. So...
ssh uberbuilder.localI know, it's not that big of a deal, but I like it - it's cleaner.
- It also makes me feel like my system is a little more secure when the super user isn't the default
piuser. And then I go and blog about it... yeah. So there's that.
- One of the benefits of this exercise is that this teaches you how to create new users and super users. If you have a multi-user box, than creating new users is as simple as repeating step 1.
You might have your own reasons why, or why not to do this. And I'd love to hear about it - let us know in the comments below.
Here's our goal:
- Create a user which behaves exactly like the default
piuser - with sudo access and without having to type your password every time you run a sudo command.
note: Obviously you want to replace
jeremybelow with whatever username you'd like. I'm using this - because yeah, that's my name.
Also note: This has been tested in Rasbian Buster released on 2019-06-20
1. Create a new user with
sudo adduser jeremy
- You will be asked to enter a password (twice)
- Then it will ask you for information about the user (remember, this is from the days of unix) You can fill out anything you'd like or leave it blank.
sudo adduser jeremy Adding user `jeremy' ... Adding new group `jeremy' (1001) ... Adding new user `jeremy' (1001) with group `jeremy' ... jeremy ALL=(ALL) NOPASSWD: ALL Creating home directory `/home/jeremy' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully Changing the user information for jeremy Enter the new value, or press ENTER for the default Full Name : Jeremy Iglehart Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n] Y
2. Add your new user to sudo group
sudo adduser jeremy sudo
sudo adduser jeremy sudo Adding user `jeremy' to group `sudo' ... Adding user jeremy to group sudo Done.
You can check it to be sure your new user is in the sudo group
grep -Po '^sudo.+:\K.*$' /etc/group
grep -Po '^sudo.+:\K.*$' /etc/group pi,jeremy
For more information about checking for super users, I reccommend reading this stack exchange question.
2.5 Add your new user to all the same groups as the user
July 17th, 2019: So, I figured out later in order to have a completely equivolent user to the
piuser you need to add your new username to a bunch more groups than just
I'll come back later and clean up this article to simply just include this in the above line when you're adding
sudo- but for now, I'll put it here.
TODO: Clean up this article so that this is one step instead of two.
pi user belongs to more groups that you need than just
groups pi pi : pi adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio
Note: This was run on an updated Raspbian Buster on
July 17th 2019 at 18:00 EDT- so these are all of the current groups as of today.
If you haven't already deleted the
pi user you can use this script to automatically add your new user to all of the same groups as the
for GROUP in $(groups pi | sed -e 's/^pi : pi //'); do sudo adduser jeremy $GROUP; done
groups pi | sed -e 's/^pi : pi //' line will simply print all the groups that the user
pi is in. The
sed part trims off the user and group
pi since that is most likely going away in a little bit. Here's what it looks like run today:
groups pi | sed -e 's/^pi : pi //' adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio
If you're like me and coming to this story late in the game and you've already deleted the
pi user but need to add your new user to all of the groups the
pi user is in - you can use this below line and trust that it's up to date at least as of today:
for GROUP in adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio; do sudo adduser jeremy $GROUP; done
If you really want to be sure that this is current - just go flash a latest version of Raspbian to a Micro SDHC - boot it up and run
groups pi to confirm.
nopasswd rule for the new user
One of the nicest things about the
pi user is that you don't have to type the sudo password in for every sudo command you run. Some people like this, some people don't. I won't get into the reasons for or against it here, but rather leave that up to your choice. Here's how you do it:
/etc/sudoers.d/010_pi-nopasswdto a new
sudo cp /etc/sudoers.d/010_pi-nopasswd /etc/sudoers.d/010_jeremy-nopasswd
Add write permissions (so that you can change the file)
sudo chmod u+w /etc/sudoers.d/010_jeremy-nopasswd
Change "pi" to "jeremy"
sudo sed -i 's/pi/jeremy/g' /etc/sudoers.d/010_jeremy-nopasswd
remove write permissions (should be 0440 or
sudo chmod u-w /etc/sudoers.d/010_jeremy-nopasswd
Check the file to be sure it looks right
sudo cat /etc/sudoers.d/010_jeremy-nopasswd
It should look like this:
jeremy ALL=(ALL) NOPASSWD: ALL
All together it will look like this:
sudo cp /etc/sudoers.d/010_pi-nopasswd /etc/sudoers.d/010_jeremy-nopasswd sudo chmod u+w /etc/sudoers.d/010_jeremy-nopasswd sudo sed -i 's/pi/jeremy/g' /etc/sudoers.d/010_jeremy-nopasswd sudo chmod u-w /etc/sudoers.d/010_jeremy-nopasswd sudo cat /etc/sudoers.d/010_jeremy-nopasswd jeremy ALL=(ALL) NOPASSWD: ALL
This ensures that the
pi user is fully logged out and has nothing left running. You won't be able to delete the user
pi if the
pi user still has any processes running.
5. Login as your new user
Now you're good to go! Happy hacking.
If you're like me, and you don't like having the
pi user around - you can remove it now. Run both of these to remove the user and the
sudo deluser -remove-home pi sudo rm -vf /etc/sudoers.d/010_pi-nopasswd
sudo deluser -remove-home pi Looking for files to backup/remove ... Removing files ... Removing user `pi' ... Warning: group `pi' has no more members. Done. sudo rm -vf /etc/sudoers.d/010_pi-nopasswd removed '/etc/sudoers.d/010_pi-nopasswd'
If you try to do this before rebooting you will see something like this:
sudo deluser -remove-home pi Looking for files to backup/remove ... Removing files ... sh: 0: getcwd() failed: No such file or directory Removing user `pi' ... Warning: group `pi' has no more members. userdel: user pi is currently used by process 702 /usr/sbin/deluser: `/usr/sbin/userdel pi' returned error code 8. Exiting.
That's it - you're all set. Happy hacking!
note: on a fresh system where you haven't set any locale you will see this a lot:
perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LC_CTYPE = "en_US.UTF-8", LANG = "en_GB.UTF-8" are supported and installed on your system. perl: warning: Falling back to a fallback locale ("en_GB.UTF-8").
- Choose option
4 Localization Options
- Choose option
1 Change Locale
- (hit okay) then select your locale - choose
UTF-8if you can.
- (hit okay) then select the
.UTF-8option here again.
After this, you shouldn't see this warning message anymore. Here are some screen shots:
So, I first tried a few things outlined in this article above and found out quickly that things have changed in Raspbian since this article has been written. The way Raspberry Pi is setting up the pi user is different in Raspbian Buster.
After some trial and error I ended up settling on the method I describe here in this gist. I'd still like to give credit to what got me started on this path though - because it guided me through the process.