Sudo permissions disaster

Question

I just got a Pi-4. I'm not sure if I did something wrong while setting it up, but after getting it running I noticed that sudo commands required no passwords. I tried to change this, following some advice I found here:

How to change user pi sudo permissions; how to add other accounts with different permissions?

As that person recommended, I first added an admin user:

$ sudo adduser admin

Then I did the following:

$ sudo adduser admin sudo
$ sudo adduser admin adm

I then checked the user's privileges as advised, and it worked great. All good so far. Then I did the following as recommended:

$ sudo deluser pi sudo
$ sudo deluser pi adm

That worked great, too. Then I did something foolish. Unclear on precisely what I was supposed to do next, I opened up 010_pi-nopasswd to edit it. The file contained just one line:

pi ALL=(ALL) NOPASSWD: ALL

I changed it -- and here is the foolish part, working faster than I was thinking -- to this:

pi ALL=(ALL) NOPASSWD:

The Pi did NOT like this. Whether I am logged on as admin or pi I cannot use sudo for anything.(I did not create a root password before doing all this, so I can't use su either.) This means I also cannot go back and edit that file. Any attempt to do so triggers the following:

>>> /etc/sudoers.d/010_pi-nopasswd: syntax error near line 1 <<<
sudo: parse error in /etc/sudoers.d/010_pi-nopasswd near line 1
sudo: no valid sudoer sources found, quitting
sudo: unable to initialize policy plugin

Likewise, any other use of sudo triggers the same. Is there any way around this problem or have I effectively ruined the OS?

Answer 1

You didn't do anything wrong during setup. By default, user "pi" can issue sudo commands with no password; that's the way Raspbian is released. If you haven't done very much other customizing, just re-flash the microSD card and start over.

If you really need to rescue the contents of the current card, flash a new card and boot the Pi from it. Put the current card into a USB adapter, plug it into a USB port, and you will be able to mount the partitions of the original card, edit files (with sudo) and fix your mistake. (At least, I think so; I haven't actually tested this.)

If you have physical access to a running Linux system, you could use that rather than flashing a second SD card for the Pi. Also note the comment and link from @goldilocks below about using a "live Linux" CD to get a running Linux system fairly easily.

To protect against breaking the sudo system, in the future use the visudo command when editing sudo's files. It won't let you save a file with a syntax error.

For completeness, the following comes from the visudo man page:

visudo parses the sudoers file after the edit and will not save the changes if there is a syntax error. Upon finding an error, visudo will print a message stating the line number(s) where the error occurred and the user will receive the “What now?” prompt. At this point the user may enter ‘e’ to re-edit the sudoers file, ‘x’ to exit without saving the changes, or ‘Q’ to quit and save changes. The ‘Q’ option should be used with extreme care because if visudo believes there to be a parse error, so will sudo and no one will be able to sudo again until the error is fixed. If ‘e’ is typed to edit the sudoers file after a parse error has been detected, the cursor will be placed on the line where the error occurred (if the editor supports this feature).

Answer 2

The Answer by Bob Brown is correct but if all you want to do is remove password less sudo just delete the 010_pi-nopasswd file.

This can be done on a Linux computer.

You could also log in to a root shell on the Pi to delete the file.
See https://raspberrypi.stackexchange.com/a/79202/8697

Answer 3

Never change manually the sudoers file !!!

In case you did it wrong (as i did T_T), a working solution can be found here : https://sites.google.com/site/nandydandyoracle/tools/pkexec-visudo-no-session-for-cookie

Good luck !!