Disable sudo for user Pi (or require root password)

Question

I'm pulling my hair out over this thing.

Using Raspberian here.

So I'm trying to restrict the Pi user from being able to use sudo without the root password. After heavy searching, I gave up on that, and now I'm trying to just disable all access to sudo. I can always just su - when needed, after all.

My current /etc/sudoers file looks like

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
#root   ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
# %sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Throughout my searches, I mostly found awnsers of removing or changing the Pi user's entry in the file. On my install, there never was an entry for Pi user, and it seems the permissions were instead inherited from the sudo group.

I've since commented out the sudo group from /etc/sudoers, and also removed the Pi user from said group.

pi@raspberrypi:~ $ groups pi
pi : pi adm dialout cdrom audio video plugdev games users input netdev spi i2c gpio

But still;

pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on raspberrypi:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on raspberrypi:
    (ALL) NOPASSWD: ALL

And displaying the issue;

pi@raspberrypi:~ $ ls /root/
ls: cannot open directory /root/: Permission denied
pi@raspberrypi:~ $ sudo ls /root/
Desktop  Documents  Downloads  Music  Pictures  Public  temp  Templates  Videos

How do I either require the root password for sudo, or just remove the Pi's access to it, if not through visudo?

Answer 1

Just remove the NOPASSWD from file /etc/sudoers.d/010_pi-nopasswd

Change it from :

pi ALL=(ALL) NOPASSWD: ALL

to :

pi ALL=(ALL) ALL

Answer 2

One of the first things I do with Raspbian is just eliminate the pi user. I presume it was a decision with the primary use case for the OS being teaching grade school kids about computers and trying to make it easy for them -- and to the extent that it provides the opportunity to wreck things, there's an educational experience there. But it is a blatant security hole.

Anyway, having an /etc/sudoers with just those three Defaults and this:

root   ALL=(ALL:ALL) ALL

Left uncommented, reboot, should do it.

If not just use the root account (for which you have to first create a password) to userdel pi, make sure /home/pi is gone, create a new, normal, unprivileged user.

If you then need to do privileged things, log in via a console, or use use su (but not inside of X, there's some risks to that too).

Answer 3

There's 2 steps you need to do, removing the user from the "sudo" group and removing the special file in /etc/sudoers.d/ that also gives "pi" sudo permission. You need to run these commands as root (so you probably want to create a different user and add them to the sudo group before you disable sudo on the pi user)

1. delgroup pi sudo
2. rm /etc/sudoers.d/010_pi-nopasswd

Answer 4

Try this approach instead:

Create a new highly limited user for using just the media player. (replace "guest" with whatever name you choose)

useradd -m -U guest

Set a password for this user (you will be prompted)

passwd guest

Or if you do not want to use a password with this user (disable password)

passwd -d guest

You should now be able to run the media player without guest having any sudo access. Further steps may be required to lock down the account, but without knowing your exact situation, I cannot advise further.