Debian Admin Password

[rubikwizard]

Hi

Just received my RasPi today and having great fun playing with it

I have installed the Debian image from this site and have been browsing through all the applications in the menus. Some of them require an admin password to access them. What is this password? I have tried the password to initially log in to the machine (raspberry) but this is not accepted.

Many thanks for any help.

[ianm1981]

As far as im aware there isnt one (anyone feel free to correct me)

It is however very easy to make one. Simply open a terminal window and type

sudo passwd root

press enter

then enter the new password in twice and away you go.

Standard exclamations of shock and alarm and the dangers of using root accounts may follow from people more linux/security conscious than myself ;o)

[grumpyoldgit]

With Debian, if you are carrying out a command that needs admin privileges, you type sudo in front and then type your password when required. With Debian, Ubuntu and the rest of that family, root is hidden.

[grumpyoldgit]

What ianm1981 said works but it is generally considered to be bad form as the theory is you should never need to log in as root. I've been running on Ubuntu for a couple of years now and never logged on as root.

[rubikwizard]

Well I came across the application called GParted in the Preferences menu on the desktop. I figured I could use this to resize my partition to use the full capacity of my SD card but it asked for an admin password.

Not really sure what I am doing yet so might just leave it for the moment!

I realise there have been other threads about resizing partitions but didn't fully understand so I will have another look for them.

I have to say all this command line stuff is bringing back many happy memories of my Amiga days writing, compiling and running programs from the CLI. Hopefully I will now have many happy RasPi days ahead! I have bought the book "Linux Command Line" so am starting to work my way through it. Too many years of using Windows has made me soft!

[jojopi]

There is an issue in the debian image because LXDE's menus are set up to use su instead of sudo, but there is no root password.  To fix it run the following command as user pi:

gconftool-2 -\-type bool -\-set /apps/gksu/sudo-mode true

[grumpyoldgit]

Presumably this information needs to be highlighted as everyone is going to hit the problem.

[Chris.Rowland]

Yes, we went through this a week or two ago.

Where would be best to put this? In the wiki somewhere but what page? I don't mind adding something.

While either of these approaches used allow Gparted to be used from lxde neither help with moving or copying files using the file manager.  Is this a "feature" of the file manager? In which case is there a better one?

And leafpad doesn't allow saving files as root.

I tripped over this when trying to set the screen size to 800x600 running Debian in QEMU.

[grumpyoldgit]

I have to admit I don't understand it. The PC I am typing on runs Lubuntu 11.10 which is basically a cut down Ubuntu with an LXDE front. I've had it up and running a couple of months to give me some familiarity with LXDE. In terminal. if I need to install software or otherwise carry out a task which requires advanced priviledges I just add sudo in front and give my password if prompted. In LXDE if I use an application like Gparted, I will be prompted for my password.

I can't work out whether this su issue is deliberate or is an error or oversight that the gconftool command corrects.

[Chris.Rowland]

I guess it's an oversight, the debian version for the Pi definitely seems to do this.  I guess that the fix that jojopi suggested could be added to the image quite easily.

There's still the issue that it works with gparted but not for writing files from LXDE.

[croston]

@Grumpyoldgit Ubuntu uses sudo by default. Debian does not even though sudo has been set up on the RPi image on a basic level (look at .bash_history). The gconftool command needs to be run to change the default behavior in X. Hopefully this will be done in the next Debian image by default. Bear in mind that the early RPi developers are rapidly finding and fixing niggles like this. Remember Debian != Ubuntu

[GizmoB73]

Interestingly (and probably rather dangerously) I have found that you can run:

$ sudo su -

#

to get logged in as root without knowing the password!

This works regardless of whether you know the root password or not.

This seems to make a mockery of the whole security model to me.  Isn't this a massive security hole?

[jamesh]

croston said:

@Grumpyoldgit Ubuntu uses sudo by default. Debian does not even though sudo has been set up on the RPi image on a basic level (look at .bash_history). The gconftool command needs to be run to change the default behavior in X. Hopefully this will be done in the next Debian image by default. Bear in mind that the early RPi developers are rapidly finding and fixing niggles like this. Remember Debian != Ubuntu

I've asked for it to be done on the next release.

[jojopi]

GizmoB73 said:

Isn't this a massive security hole?

It is not the most secure configuration of sudo, but it is the most convenient.  It is not an unreasonable default on a truly personal computer where the owner is actively encouraged to experiment.

If you want to tighten the configuration up, run "sudo visudo" and then delete the line "Defaults exempt_group = users" and save.  Then run "passwd pi" and change the password from raspberry to something less guessable, if you have not already.

Now sudo will ask for pi's password (except for rapid repeat uses), which provides additional protection against unattended keyboards or malicious software.

[GizmoB73]

jojopi said:

GizmoB73 said:

Isn't this a massive security hole?

It is not the most secure configuration of sudo, but it is the most convenient.  It is not an unreasonable default on a truly personal computer where the owner is actively encouraged to experiment.

If you want to tighten the configuration up, run "sudo visudo" and then delete the line "Defaults exempt_group = users" and save.  Then run "passwd pi" and change the password from raspberry to something less guessable, if you have not already.

Now sudo will ask for pi's password (except for rapid repeat uses), which provides additional protection against unattended keyboards or malicious software.

That's fair comment about the usage.

And thanks for the tips on changing sudo.

[frying_fish]

GizmoB73 said:

Interestingly (and probably rather dangerously) I have found that you can run:

$ sudo su -

#

to get logged in as root without knowing the password!

This works regardless of whether you know the root password or not.

This seems to make a mockery of the whole security model to me.  Isn't this a massive security hole?

You can get a root shell by either:

$sudo -s

or

$sudo -i

depending on whether you want it to keep all your current shell defaults (-s), or login with a new interactive shell using roots defaults (-i). Using sudo su obviously also works, but you could also

$sudo su SOMEOTHERUSER

That would allow you to become said other user, and interact with the system as if you were them (useful if you need to check permissions are working on a multi user system)

Hopefully that gives a little insight.

[Joe Schmoe]

I just do "sudo bash".

As far as whether or not this is a security "hole" - I think you just have to accept it.  It is part and parcel of the idea of a personal computer.  I mean, that's the whole point of having a personal computer - it is for you.  The fact that they've evolved the normal desktop office PC back into a mainframe/terminal model, with limited access (and control) by the person sitting at the keyboard, is pretty much irrelevant to what we are trying to accomplish with the Pi.

[Jim Manley]

Joe Schmoe said:

I just do "sudo bash".

For any newbies who aren't aware, /bin/sh is now the default shell (i.e., the command line interpreter, script execution environment, etc.) for Debian as of Squeeze for POSIX compliance, having been downgraded from bash (the historically-preferred shell), but, what a PITA.

bash is supposed to be the default interactive shell, but, when I accessed the Pi in the UK from California, it defaulted to sh everywhere.  Naturally, I fixed that via chsh to and bash was available when I logged into another xterm or when I logged out and then logged back in via the same xterm.

Up/down arrow keys to browse command history and tab auto-completion don't work in sh (at least remotely accessing the UK Pi), the color-coded file types in bash are gone in sh, and all of the other features we Linuxen have grown to know and love in bash are pretty much not in sh.  Talk about dumbing down to the lowest common denominator.  Yeah, yeah, I know, sh is really meant for the system to use to execute scripts in a uniform way.

[jojopi]

Jim Manley said:

bash is supposed to be the default interactive shell, but, when I accessed the Pi in the UK from California, it defaulted to sh everywhere.

It seems that the annoying[+], Debian specific, "adduser" script defaults to bash, whereas the underlying, portable, "useradd" binary defaults to sh.  These defaults being set in /etc/adduser.conf and /etc/default/useradd, respectively.  I can only assume that Deb and/or Ian expect you to use "adduser" for human users and "useradd" for system accounts!

Incidentally, I do not think the argument is that dash is more POSIX compliant than bash, but rather that because it implements only the bare minimum functionality it is faster for non-interactive uses.

[+] I have a pathological hatred for such scripts ever since I used the one in Slackware 1.1.2 to add a user with a home directory of "/" and it recursively chowned the entire filesystem.

[bredman]

I have now added this to the troubleshooting wiki

http://elinux.org/R-Pi_Trouble.....#Passwords