John50
Posts: 18
Joined: Sun Mar 31, 2019 2:23 pm

Change new user privileges

Fri Apr 19, 2019 2:23 pm

I am following some tutorials but it is not clear to me how to give this new user all the privileges that the PI has, the idea is to remove the PI privileges and leave only mine (john) by default.

pi@raspberrypi:~ $ su john
Password:
john@raspberrypi:/home/pi $ sudo visudo

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for john:

What i need to do next, what is that password [sudo] he is asking?

User avatar
DougieLawson
Posts: 40227
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Change new user privileges

Fri Apr 19, 2019 2:53 pm

That's asking for your userid's login password.
Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

John50
Posts: 18
Joined: Sun Mar 31, 2019 2:23 pm

Re: Change new user privileges

Fri Apr 19, 2019 3:06 pm

DougieLawson wrote:
Fri Apr 19, 2019 2:53 pm
That's asking for your userid's login password.
Thank you, i notice it.

I just add the new user to the sudo group and after type the [sudo] password for john i can see this, this mean now the john have all the privileges the PI user have right?

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

User avatar
HawaiianPi
Posts: 6004
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: Change new user privileges

Fri Apr 19, 2019 4:07 pm

You should add the new user to all the same groups as the pi user (except the pi group).

To compare groups:

Code: Select all

groups pi john

Then add your user john to the same groups (except the pi group).

Code: Select all

sudo usermod -G list,of,comma,delimited,groups john


Also, the sudo/password privileges stuff is now stored for users in /etc/sudoers.d

You can either add your user to the default pi user file,

Code: Select all

sudo visudo -f /etc/sudoers.d/010_pi-nopasswd

Or create a new file for john.

Code: Select all

sudo cp /etc/sudoers.d/010_pi-nopasswd  /etc/sudoers.d/020_john-nopasswd
sudo visudo -f /etc/sudoers.d/020_john-nopasswd
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

John50
Posts: 18
Joined: Sun Mar 31, 2019 2:23 pm

Re: Change new user privileges

Fri Apr 19, 2019 4:17 pm

HawaiianPi wrote:
Fri Apr 19, 2019 4:07 pm
You should add the new user to all the same groups as the pi user (except the pi group).

To compare groups:

Code: Select all

groups pi john
Then add your user john to the same groups (except the pi group).

Code: Select all

sudo usermod -G list,of,comma,delimited,groups john
Also, the sudo/password privileges stuff is now stored for users in /etc/sudoers.d

You can either add your user to the default pi user file,

Code: Select all

sudo visudo -f /etc/sudoers.d/010_pi-nopasswd
Or create a new file for john.

Code: Select all

sudo cp /etc/sudoers.d/010_pi-nopasswd  /etc/sudoers.d/020_john-nopasswd
sudo visudo -f /etc/sudoers.d/020_john-nopasswd
I think I added it already, this is what I see when I execute that command:

pi@raspberrypi:~ $ groups pi
pi : pi adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio
pi@raspberrypi:~ $ groups pi john
pi : pi adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio
john : john sudo

User avatar
HawaiianPi
Posts: 6004
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: Change new user privileges

Fri Apr 19, 2019 6:14 pm

You just have john in the sudo group. If you only want to interact with the Raspbian OS, that's probably fine. If you want to interact with hardware, you'll need to be in other groups as well. If you want john to be able to do everything pi can do, join all the same groups.

The command, groups pi john, should return:
pi : pi adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio
john : john adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

John50
Posts: 18
Joined: Sun Mar 31, 2019 2:23 pm

Re: Change new user privileges

Fri Apr 19, 2019 6:27 pm

HawaiianPi wrote:
Fri Apr 19, 2019 6:14 pm
You just have john in the sudo group. If you only want to interact with the Raspbian OS, that's probably fine. If you want to interact with hardware, you'll need to be in other groups as well. If you want john to be able to do everything pi can do, join all the same groups.

The command, groups pi john, should return:
pi : pi adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio
john : john adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio
Yes, that is what i am tiryng to do, I whant the new user has all the same rights as pi user and then removed sudo rights to the PI one.

I am trying to follow few guides but honestly I have not managed to do it.

I apreciate your help.

Andyroo

Re: Change new user privileges

Fri Apr 19, 2019 6:39 pm

As HW said above:

Code: Select all

sudo usermod -G list,of,comma,delimited,groups john
So you would log on as Pi
Go to the command line
Issue sudo usermod -G adm,dialout john

But put all the groups here with commas.

Let us know how you get on.

John50
Posts: 18
Joined: Sun Mar 31, 2019 2:23 pm

Re: Change new user privileges

Fri Apr 19, 2019 6:54 pm

Andyroo wrote:
Fri Apr 19, 2019 6:39 pm
As HW said above:

Code: Select all

sudo usermod -G list,of,comma,delimited,groups john
So you would log on as Pi
Go to the command line
Issue sudo usermod -G adm,dialout john

But put all the groups here with commas.

Let us know how you get on.
So, on the pi user i need to use this command:

sudo usermod -G list,of,comma,delimited,groups john

And then look for this line:

Issue sudo usermod -G adm,dialout john

And add there all this words separated by commas in the same order:

john : john adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio

It is correct this way?

Andyroo

Re: Change new user privileges

Fri Apr 19, 2019 7:27 pm

The order does not matter - but the command will replace any groups the user is a member of!

The way the command is structured is:

sudo <- Run this as super user who can do most things
usermod <- The command to modify something to do with a user
-G <- say you want to give membership to the list of groups ONLY for the user
sadm,dialout <- the list of groups (one or more) NO spaces and with a comma in between each group
john <- the user you wish to change

So
sudo usermod -G sadm john
Followed by
sudo usermod -G dialout john

would leave john as a member of dialout only.

User avatar
HawaiianPi
Posts: 6004
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: Change new user privileges

Fri Apr 19, 2019 10:17 pm

Assuming you've already added your user with,

Code: Select all

sudo adduser john

Then add that user to all the default groups with,

Code: Select all

sudo usermod -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio john
Which puts john in all the same groups as the pi user.

Double-check with,

Code: Select all

groups pi john

Which should return what I posted previously (all the same groups, except the user's own group).

~ $ groups pi john
pi : pi adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio
john : john adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio



The passwordless sudo configuration is in /etc/sudoers.d/010_pi-nopasswd
You can add your own user entry in that default file (or create separate files for each user -- personal preference).
sudo visudo -f /etc/sudoers.d/010_pi-nopasswd
Add a duplicate entry for your user under pi.
pi ALL=(ALL) NOPASSWD: ALL
john ALL=(ALL) NOPASSWD: ALL


And while you're in there, change the pi entry to PASSWD
pi ALL=(ALL) PASSWD: ALL
john ALL=(ALL) NOPASSWD: ALL

Which will require pi to use a password for anything requiring sudo (but john will still have passwordless sudo).

Now that won't completely eliminate password requests, as there is a timeout where the password entered in a session will allow multiple sudo commands to proceed without a password, if entered within the timeout period (which I believe defaults to 5 minutes). If you want your son to require a password for every sudo command, then run sudo visudo and add or edit the following line .

Defaults timestamp_timeout=0

The number is how many minutes the timeout period is. Zero means no grace period and every sudo command will require a password. You can adjust the number as needed.

And finally, add user john to /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf
sudo nano /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf
[Configuration]
AdminIdentities=unix-user:pi;unix-user:0;unix-user:john


Reboot when you've done all of this and you should be good to go.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

User avatar
Milliways
Posts: 586
Joined: Fri Apr 25, 2014 12:18 am
Location: Sydney, Australia

Re: Change new user privileges

Sat Apr 20, 2019 1:15 am

John50 wrote:
Fri Apr 19, 2019 2:23 pm
I am following some tutorials but it is not clear to me how to give this new user all the privileges that the PI has,
Raspbian privileges are determined by group membership.

I avoid fiddling with sudoers - Just copy groups to the new user:-

Code: Select all

	for GROUP in $(groups pi | sed 's/.*:\spi//'); do sudo adduser username $GROUP; done

fbe
Posts: 649
Joined: Thu Aug 17, 2017 9:08 pm

Re: Change new user privileges

Sun Apr 21, 2019 4:47 pm

HawaiianPi wrote:
Fri Apr 19, 2019 10:17 pm
...
And finally, add user john to /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf
sudo nano /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf
[Configuration]
AdminIdentities=unix-user:pi;unix-user:0;unix-user:john

...
Or replace unix-user:pi by unix-group:sudo

Code: Select all

[Configuration]
AdminIdentities=unix-group:sudo;unix-user:0

John50
Posts: 18
Joined: Sun Mar 31, 2019 2:23 pm

Re: Change new user privileges

Sat Apr 27, 2019 12:28 pm

Finnally i manage to give the same privileges to my new user as the pi have, now when i login into the new user and try to delete the pi user accound i get this result:

john@raspberrypi:~ $ sudo deluser pi
[sudo] password for john:
Removing user `pi' ...
Warning: group `pi' has no more members.
userdel: user pi is currently used by process 462
/usr/sbin/deluser: `/usr/sbin/userdel pi' returned error code 8. Exiting.

Somebody knows what I should do?

Return to “General discussion”