<\/figure><\/div>\n\n\n\nThe user “root” is a standard user located in every Linux system. This username is not only known but also with unrestricted rights. If you use a Raspberry Pi normally, then you will not do that as “root”, but as user “pi”. But he has only limited rights. That means he can not do everything.<\/p>\n\n\n\n\n\n\n\n
Occasionally, however, you have to make changes to Raspberry Pi, and then you need the rights of “root” or root rights. With the Linux distribution Raspbian, the standard user “pi” can always get root privileges on the command line with the help of “sudo” or “su”. And that without knowledge of the root password. Depending on the need for security you want to limit this possibility.<\/p>\n\n\n\n
Note: Root access is a work tool. Without root privileges, you can not make changes to any system. However, direct root access always presents a security risk, especially if access is not restricted.Tasks<\/strong><\/p>\n\n\n\nHow do the root rights work in the default configuration?<\/li> Restrict the root privileges of the user “pi”.<\/li> Enable the root account by setting a password.<\/li> Disable the root account.<\/li><\/ul>\n\n\n\nNote: Change permissions<\/strong> If you change permissions, then you usually test the same. This is the only way to ensure that it works as it is desired. However, it sometimes happens that the permissions do not work as expected when tested, even though the change was made correctly. In such cases, it is important to remember that changes to permissions and configurations must first be made by active instances. Depending on the instance, the instance must be restarted. In the case of user permissions (groups, etc.), the user must first log out and log in again. Only then, for example, will group assignments be adopted. Or if you change a server configuration, the service must be restarted. Only then does the service accept the changed configuration. There are even configuration changes that require a complete reboot of the system. That is, when changing permissions and configurations, you should be aware of where you made the change (running process or file), and then consider which instance of it is affected (user, service, or system) and whether that instance restarts must be to take over the change.<\/p>\n\n\n\nSolution: Root rights in the default configuration<\/strong> In the default configuration of Raspbian (Images as of the end of 2014), no password is set for the user “root”. For this, the default user “pi” can work with root rights via “sudo”. And without restrictions. “sudo” is generally referred to as “super user do”. However, “sudo” stands for “substitute user do”. With “sudo” you can execute commands with the rights of any user, not just “root”. Assuming you have root privileges.<\/p>\n\n\n\nsudo {COMMANDO}\n<\/pre><\/div>\n\n\nSolution: Switch to “root” However, it can be quite annoying to always write “sudo” before any action. Therefore, there are ways to become “root” temporarily or permanently to make system-wide changes.<\/p>\n\n\n
\nsudo -s\nsudo su\nsudo su -\n<\/pre><\/div>\n\n\nAfter entering the password, the normal shell becomes the root shell.<\/p>\n\n\n\n
The command “su” stands for “substitute user”. In general, one also says “super user” to it. By “super user” is meant “root”, which has unlimited rights on a system. However, with “su” you can become not just “root” but every user. The hyphen “-” after “su” means that the complete environment (aliases, paths, etc.) of the user are available and thereby also in his home directory is changed. If you leave the “-” off, you continue to work in the same environment you changed from. In this case, only the authorizations are accepted.<\/p>\n\n\n\n
With “sudo su -“, which is the short form of “sudo su – root”, one changes into the home directory of “root”.<\/p>\n\n\n\n
With “exit” one can leave the inherited user and return to the previously registered user. However, a possibly established SSH connection is not terminated.<\/p>\n\n\n\n
Solution: install “sudo”<\/strong> In general, “sudo” is installed on multiuser distributions. However, it may happen that it is not the case. Then you can install it later.<\/p>\n\n\n\napt-get update\napt-get install sudo\n<\/pre><\/div>\n\n\nSolution: Restrict root privileges (query user password) Normally, the user “pi” is only asked for his password when logging in. After that, he is no longer asked for his password. If the user then leaves his workplace, anyone can work on this system without restriction. Also with root rights by means of “sudo”. The idea is to restrict the permissions so that the user “pi” is occasionally asked for his password when using “sudo”. To do this, make sure that the user “pi” is assigned to the user group “sudo”.<\/p>\n\n\n
\nsudo gpasswd -a pi sudo\n<\/pre><\/div>\n\n\nIn principle, this makes any other user a system administrator. However, this change will only take effect after the user has logged out and back in, provided that the user “pi” was not already in the user group “sudo”.<\/p>\n\n\n
\nid pi\n<\/pre><\/div>\n\n\nThen we change the sudo user control (sudoers) with “visudo”. This will edit a file that you should never edit directly.<\/p>\n\n\n
\nsudo visudo\n<\/pre><\/div>\n\n\nResponsible for the password query when using “sudo” is the following line. It should be included in the configuration file.<\/p>\n\n\n
\n% sudo ALL = (ALL: ALL) ALL\n<\/pre><\/div>\n\n\nIn the configuration file, we change the following line:<\/p>\n\n\n
\npi ALL = (ALL) NOPASSWD: ALL\n<\/pre><\/div>\n\n\nin<\/p>\n\n\n
\n#pi ALL = (ALL) NOPASSWD: ALL\n<\/pre><\/div>\n\n\nWith this we comment on the line that was originally there for the user “pi” was allowed to use “sudo” without password input. Then save and close the file: Ctrl + O, Return, Ctrl + X. “visudo” verifies the syntax before overwriting the original file. If you did something wrong you will be prevented from locking yourself out this way.<\/p>\n\n\n\n
The change applies immediately. Now, “pi” must enter its own password at the first command line suffix “sudo” to obtain root privileges. For a few minutes, “pi” may continue to use “sudo” without password entry.<\/p>\n\n\n\n
Solution: Activate root account<\/strong> In general, Raspbian does a good job of disabling the root account and administering the system exclusively as user “pi” using “sudo” or “su”. However, there are reasons to create a password for the user “root” and thus activate the root account. For example, if untrusted users have access to Raspberry Pi. The unnoticed could activate the root account and drive further mischief. Therefore, if Raspberry Pi is used as a multi-user environment, the root account should be activated.<\/p>\n\n\n\nThe activation of the root account is done by giving the user “root” a password.<\/p>\n\n\n