freespace
Posts: 5
Joined: Wed Jan 21, 2015 7:40 pm

[SOLVED] Raspbian is not asking for a password ever.

Wed Jan 21, 2015 8:50 pm

[UPDATE:] This post was solved by user "ripat" in post #6 below counting this post as #1.

Specs:
Hardware: Raspberry Pi Model B.
OS: Raspbian (Latest version as of this post)

Notes:
  • This is a fresh install of the OS on the Raspberry Pi model B. It did ask for a password on install and I gave it one. I also used the following from a command prompt to make sure a root password was set:
    sudo passwd root
  • I've searched the forums and the web for solutions to this problem and have only found forum entries where the solution was never posted or made clear.
Description of the problem:
Raspbian never asks me for a password when I request elevated privileges either from the command prompt via the "sudo" command, or from the "Run" text entry box (by pressing "ALT+F2", or navigating from the Main menu to "Run") and entering "gksu appname" where appname is any application I wish to run using elevated super user privileges.

What I expect to happen:
When I enter "sudo appname" from a command prompt I expect to be asked for the root password, AND, when I use "gksu appname" from the "Run" menu I expect a window to pop open asking me for root privileges before the program referred to by 'appname' is run.

What happens instead:
If "sudo appname" is used, then whatever command is replacing the 'appname' placeholder here is run with elevated administrative privileges without ever asking me for the root password. If "gksu appname" is used, the program referred to by the 'appname' placeholder is run with elevated administrative privileges without ever asking me for the root password.

Questions:
  1. I've installed Raspbian 3 times and each time this problem has occurred. Why is Raspbian installing with very poor security measures and allowing the default user to run any program with root privileges without ever asking for the password?
  2. If for example I install Ubuntu on a desktop computer, it asks me to create a username and password combination from which the OS sets up an administrative account using that information, and by default if I need to run something with elevated privileges it always asks me for the root password before doing so. The part where it asks for a password is not happening in Raspbian, how can I get that behavior by default in Raspbian?
  3. I haven't changed any configuration files, this is a fresh install, and this problem was happening both BEFORE and AFTER I ran the "sudo passwd root" command. What could be causing the behavior described in the problem description above and why would this be happening after a fresh install of the OS each time I install it?
For clarity:
This is where things stand now:
Raspbian never asks for a password ever, and runs all programs requesting elevated privileges as such without passwords.

This is how I would like things to be:
Whenever any command asks for elevated privileges via either "sudo" or "gksu" I would like Raspbian to ask me for an administrative password before running that command, and not to run that command if a password is not given or is given incorrectly.
Last edited by freespace on Fri Jan 23, 2015 5:40 pm, edited 2 times in total.

User avatar
FTrevorGowen
Forum Moderator
Forum Moderator
Posts: 5052
Joined: Mon Mar 04, 2013 6:12 pm
Location: Bristol, U.K.
Contact: Website

Re: Raspbian is not asking for a password (elevated privileg

Thu Jan 22, 2015 10:11 am

The default policy for sudo within Raspbian is not the same as for Ubuntu etc. To change this you need to edit /etc/sudoers using visudo. More details can be found within the man page for sudo and within the file itself. Normally there is no root user and user pi has been given enough privileges to perform essential tasks w/o re-asking for a password.
Trev.
Still running Raspbian Jessie on some older Pi's (an A, B1, B2, B+, P2B, 3xP0, P0W) but Stretch on my 2xP3A+, P3B+, P3B, B+, A+ and a B2. See: https://www.cpmspectrepi.uk/raspberry_pi/raspiidx.htm

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: Raspbian is not asking for a password (elevated privileg

Thu Jan 22, 2015 10:41 am

The OP should be using "su" instead of "sudo".

"su" has the semantics he seeks.

Note that even if you modified the "sudoers" file as recommended in a previous post, it still wouldn't work the way the OP wants.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

User avatar
B.Goode
Posts: 8271
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: Raspbian is not asking for a password (elevated privileg

Thu Jan 22, 2015 10:59 am

freespace wrote: For clarity:
This is where things stand now:
Raspbian never asks for a password ever, and runs all programs requesting elevated privileges as such without passwords.

This is how I would like things to be:
Whenever any command asks for elevated privileges via either "sudo" or "gksu" I would like Raspbian to ask me for an administrative password before running that command, and not to run that command if a password is not given or is given incorrectly.
Welcome to the forums.

My installations of Raspbian all boot to the shell prompt and do ask for a password at that point.

Ultimately, this is your system and you are welcome to configure it as you wish if you want a different setup to the default.

There have been debates/discussions in the past as to whether the choices made by RPF and the system maintainers with regard to security and escalation of privilege are appropriate/correct - I see no point in re-hashing that again here.

freespace
Posts: 5
Joined: Wed Jan 21, 2015 7:40 pm

Re: Raspbian is not asking for a password (elevated privileg

Fri Jan 23, 2015 12:32 am

Ok thanks for all the replies so far, but non of this has addressed the main issue here which I was hoping would be made clear by the last section of my original post entitled "For clarity:".

I'll take the replies one at a time here:
by FTrevorGowen » Y2015-M01-D22, 2:11 am
...To change this you need to edit /etc/sudoers using visudo. More details can be found within the man page for sudo and within the file itself.
I have read up on and I believe I am informed on the use of sudo and visudo however no information is given or has been given on how to implement the changes I'm seeking in either the man pages for sudo or visudo, nor in this thread, nor on any other thread I have searched so far. If you are going to give this advice could you please also provide the information on how one should edit the /etc/sudoers file in order to implement the changes I'm seeking to make or provide a link to that information? I give that request in spite of my genuine gratitude for the information you've provided because from what I've found on the net so far, it really is starting to look as if that information just doesn't exist at all anywhere (see next for more clarity on my confusion).

I've compared the default /etc/sudoers file in Ubuntu with that found in a fresh install the Raspbian and so far all I can tell is that the following entry should not be in /etc/sudoers in Raspbian if I'm seeking to implement what I'm after:
pi ALL=(ALL) ALL
...however I still have no idea if that line should just be erased completely or replaced with something else. The main point being I can't seem to find any information on what would be acceptable replacements for the word "ALL" on the above example and there are way to many things I could guess for a replacement that probably wouldn't work, so guessing a solution is probably not the right approach for this type of problem. Hence my searching through the reference material, websites, forums, and finally asking about it here.
by Joe Schmoe » Y2015-M01-D22, 2:41 am
The OP should be using "su" instead of "sudo".

"su" has the semantics he seeks....
Here are the man page definitions for both "sudo" and "su" respectively:

Code: Select all

SUDO(8)                               BSD System Manager's Manual                               SUDO(8)

NAME
     sudo, sudoedit — execute a command as another user
...and

Code: Select all

SU(1)                                        User Commands                                        SU(1)

NAME
       su - change user ID or become superuser
By my original post it should be clear that I'm not wishing to become the super user or "change user ID", and by what is suggested by the output of "man sudo" and "man su" shown above, it seems to me as if "sudo" and not "su" is what I should be using and in fact on most of the other distributions that I have tried out, "sudo" does appear to work the way I'm wanting it to work here on Raspbian.
by Joe Schmoe » Y2015-M01-D22, 2:41 am
...Note that even if you modified the "sudoers" file as recommended in a previous post, it still wouldn't work the way the OP wants.
Could you please elaborate on why this wouldn't work?
by B.Goode » Y2015-M01-D22, 2:59 am
...There have been debates/discussions in the past as to whether the choices made by RPF and the system maintainers with regard to security and escalation of privilege are appropriate/correct - I see no point in re-hashing that again here.
I concur with your point, and if any one reads any intention in "re-hashing" said "debates/discussions" in my original post or any of my follow up posts, then they are just blatantly miss-reading my intentions for this thread. That being said I would just like to simply state that it is the commonalities in default configuration between various other distributions that I have tried that has lead me to believe that these commonalities must be somewhat ubiquitous in the realm of Linux distributions. Raspbian has surprised me in this regard and has shown me that I can't take the commonality of the default configurations of other distributions as a normative. For that I am grateful as it broadens my view of how default configurations can be.

Note:
  1. Pleas see the original post under the section "For clarity:" for what is still yet to be obtained here in this thread.
  2. I am still actively seeking a solution to the problem and if I find one I will post it here, but it would really speed up the process if someone already knows and is willing to share that information here.
Remaining Requests:
  1. If this is 100% completely solvable by editing the "/etc/sudoers" file, and you have sudo working the way I wish to have it working, can you please post at least the relevant part of your "/etc/sudoers" file here as a reference for any future Raspbian users who wish to achieve the same results from a sudo or gksu command?
  2. If this is not solvable by the above method then, can someone please fill in the gaps that are missing from this discussion?
Thanks again for all the input and posts so far. This really has helped and I'm looking forward to either solving this myself or getting some more input whichever comes first.

ripat
Posts: 191
Joined: Tue Jul 31, 2012 11:51 am
Location: Belgium

Re: Raspbian is not asking for a password (elevated privileg

Fri Jan 23, 2015 6:53 am

The default sudo configuration for the raspbian distro enables the default pi user to sudo any commands with no password. If you want to change that, you will need to do two things:
  1. add the pi user or any other user to the sudo group:

    Code: Select all

    sudo usermod -a -G sudo <username>
  2. comment out the following line in the sudoers configuration file (using the visudo command):

    Code: Select all

    # <username> ALL=(ALL) NOPASSWD: ALL
  3. make sure you have this line in the sudoers file (should be there by default):

    Code: Select all

    %sudo   ALL=(ALL:ALL) ALL
  4. save/exit the visudo editor
Next time you will invoke sudo you will be asked for your password - not the root password as you seem to believe in your original post.

Caution: make sure you strictly follow the above. Any mistake will exclude you from using visudo.
Last edited by ripat on Fri Jan 23, 2015 7:01 am, edited 1 time in total.
Using Linux command line usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

pickfire
Posts: 43
Joined: Fri Dec 19, 2014 3:27 pm

Re: Raspbian is not asking for a password (elevated privileg

Fri Jan 23, 2015 7:00 am

I think you are asking for a step-by-step guide(you should say it at first). First, change the root passwd:

Code: Select all

sudo passwd
Second, change nopasswd to passwd:

Code: Select all

sed -i 's/NOPASSWD/PASSWD/' /etc/sudoers
I hope that this article is helpful to you. And I hope you can help to write some documentation about this at https://github.com/raspberrypi/documentation or http://elinux.org/RPi_Hub. Sorry for any grammatical error as english is not my main language.

A few good documentations:
https://github.com/raspberrypi/documentation - The Raspberry Pi official documentation
http://elinux.org/RPi_Hub - A community maintained documentation
http://wiki.archlinux.org - The Arch Linux documentation page

freespace
Posts: 5
Joined: Wed Jan 21, 2015 7:40 pm

Re: Raspbian is not asking for a password (elevated privileg

Fri Jan 23, 2015 4:08 pm

ripat wrote:The default sudo configuration for the raspbian distro enables the default pi user to sudo any commands with no password. If you want to change that, you will need to do two things:
  • 1. add the pi user or any other user to the sudo group:...
Isn't the pi user a member of the sudo group by default on a fresh install of Raspbian? For any one else this step can also be achieved using the "adduser" command (or it might be the "addgroup" command. I'm too lazy at the moment to read which one is which, see "man adduser" from the command line for more info).
ripat wrote:
  • 2. comment out the following line in the sudoers configuration file (using the visudo command):

    Code: Select all

    # <username> ALL=(ALL) NOPASSWD: ALL
Done, and thanks for clarifying that this step is necessary.
ripat wrote:
  • 3. make sure you have this line in the sudoers file (should be there by default):

    Code: Select all

    %sudo   ALL=(ALL:ALL) ALL
Isn't the %sudo alias already present in the /etc/sudoers file by default in a fresh install of Raspbian? To this I also added:

Code: Select all

%adm ALL=(ALL) ALL
This makes sure that members of the admin group "adm" have root privileges as well, which is probably redundant in some way, but it is a line that came by default in the /etc/sudoers file for Xubuntu so out of caution I also placed it here as well.
ripat wrote: Next time you will invoke sudo you will be asked for your password - not the root password as you seem to believe in your original post.
From what I have experienced on Raspbian it seems as if there is no difference between "your" password (where here the editorial use of the word "your" is meant) and the "root" password. Can you please elaborate on the difference and how to make sure there is one?

Thanks for the input ripat. This has solved the problem, but before I close this thread I'll wait to see if you would like to respond to any of the follow up questions I've posted here, but seriously thanks because the information you've provided here was a necessary clarification that I wasn't able to find on any other forum or web site anywhere. Thanks.

As a note directed at my earlier question about the use of the "ALL" tag found in /etc/sudoers. Information about this can be found using "man sudoers" from the command line. From there scroll down to the section titled "Tag_Spec". Here are some quotes from that section of the man page for sudoers for your conveniece:
A command may have zero or more tags associated with it. There are eight
possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT...

...By default, sudo requires that a user authenticate him or herself before running
a command. This behavior can be modified via the NOPASSWD tag.
(Editors note: Raspbian has elected to use the NOPASSWD tag on a fresh install making this the
default behavior for the user pi.)

...By default, if the NOPASSWD tag is applied to any of the entries for a user on
the current host, he or she will be able to run sudo -l without a password....
...and if you scroll farther down to the section titled "Other special characters and reserved words" which is near the end of the file you will find the following:
...The reserved word ALL is a built-in alias that always causes a match to succeed.
It can be used wherever one might otherwise use a Cmnd_Alias, User_Alias,
Runas_Alias, or Host_Alias....
(see "man sudoers" for more information).
Last edited by freespace on Fri Jan 23, 2015 4:28 pm, edited 1 time in total.

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: Raspbian is not asking for a password (elevated privileg

Fri Jan 23, 2015 4:16 pm

Thanks for the input ripat. This has solved the problem, but before I close this thread I'll wait to see if you would like to respond to any of the follow up questions I've posted here, ...
It's not like you could close the thread anyway. Unless/until you get promoted to forum admin status.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

freespace
Posts: 5
Joined: Wed Jan 21, 2015 7:40 pm

Re: Raspbian is not asking for a password (elevated privileg

Fri Jan 23, 2015 4:27 pm

pickfire wrote:I think you are asking for a step-by-step guide(you should say it at first). First, change the root passwd:

Code: Select all

sudo passwd
I sort of disagree with your assessment of what I was asking for here. I knew most of the steps already and I also knew that most of them didn't work to get the results I was looking for. Thankfully ripat was able to understand exactly what I was getting at and offered a clarification that solved the problem. Note that I did try "sudo passwd" before ripat made post#6 and this didn't seem to do anything to change the problem or shed any light on why it was happening.
pickfire wrote: Second, change nopasswd to passwd:

Code: Select all

sed -i 's/NOPASSWD/PASSWD/' /etc/sudoers
ah well ripat beat you to the punch here, and using sed without explaining its use is a bit lacking for others who might read this post in the future. For those that didn't get what was said in pickfire's post here, sed is a stream editor that can take input from some source, make an edit and then output it to some target. Here the -i means case insensitive (if I'm remembering correctly, make sure to use "man sed" from the command line to check this) and the 's/ means to search for the first string given and replace it with the second one (shown in pickfire's comment above), where the target and source were the same, /etc/sudoers. Also note that you will see lots of warnings about only using visudo to edit the /etc/sudoers file both in the file itself and on various forums that discuss the matter and I'm not sure why that is but it might be smarter to use visudo instead of what is being suggested here by pickfire for that reason.
pickfire wrote: I hope that this article is helpful to you. And I hope you can help to write some documentation about this at https://github.com/raspberrypi/documentation or http://elinux.org/RPi_Hub. Sorry for any grammatical error as english is not my main language.

A few good documentations:
https://github.com/raspberrypi/documentation - The Raspberry Pi official documentation
http://elinux.org/RPi_Hub - A community maintained documentation
http://wiki.archlinux.org - The Arch Linux documentation page
Thank you for the suggestions and for posting these helpful resources. :)
Last edited by freespace on Fri Jan 23, 2015 5:42 pm, edited 1 time in total.

User avatar
RaTTuS
Posts: 10415
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK

Re: Raspbian is not asking for a password (elevated privileg

Fri Jan 23, 2015 4:32 pm

Personally I
1) add a new user
2) make that user the ability to sudo
3) test it
4) disable the user pi
5) add user accounts for normal people


then I just use my normal account from 1) above ...
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

freespace
Posts: 5
Joined: Wed Jan 21, 2015 7:40 pm

Re: Raspbian is not asking for a password (elevated privileg

Fri Jan 23, 2015 4:54 pm

Joe Schmoe wrote: ...It's not like you could close the thread anyway. Unless/until you get promoted to forum admin status.
A possible jab at the powers in charge of adding this functionality for users? ;)
I guess my familiarity with so many other forums allowing this function by default made me think I would get it here as well. Now I'm really starting to see that this is a systemic problem I seem to have. Note to self: Take nothing for granted in the future. (As if that will work.) :D
RaTTuS wrote: 1) add a new user
2) make that user the ability to sudo
3) test it
4) disable the user pi
5) add user accounts for normal people
...and if a person wants to add about 18MB more to there install they could add a GUI to do this as well by using the following from a command line:

Code: Select all

sudo apt-get --no-install-recommends install gnome-system-tools
This will install the graphical user management system found in Gnome to "Menu" --> "Preferences" --> "Users and Groups" from within the GUI for Raspbian along with a few other things.
Note: The "Advanced" button in the "Users and Groups" user management window will bring up a window which doesn't fit on smaller screens and leaves the "Cancel" and "OK" buttons off the screen where this window can not be re-sized vertically.

That problem has a worked-around by editing line 2627 and line 2228 in the file:
/usr/share/gnome-system-tools/ui/users.ui
In that file on lines 2627 and 2228 change: "vertical" to "horizontal". This will not fix the height of the "advanced" settings window from going off the screen, but it will bring the "Cancel" and "OK" buttons to the side of the window where they will be visible and accessible on smaller screens. Note that if you have made the changes to your system as outlined in this thread you will need to edit that file with elevated privelages as follows:
From the command line use:

Code: Select all

sudo nano /usr/share/gnome-system-tools/ui/users.ui
From the Raspbian GUI use:

Code: Select all

gksu leafpad /usr/share/gnome-system-tools/ui/users.ui
Credit: All of the information given here, on user management via gnome-system-tools was obtained at the following forum:
http://forum.linuxvillage.org/index.php ... n84upafuj6

Thanks for the Tip RaTTuS! :D Now that post# 6 has clarified a point and allowed me to fix the problem I'll most likely be doing this as well. Thanks.

pickfire
Posts: 43
Joined: Fri Dec 19, 2014 3:27 pm

Re: Raspbian is not asking for a password (elevated privileg

Sat Jan 24, 2015 1:43 am

freespace wrote:
pickfire wrote:I think you are asking for a step-by-step guide(you should say it at first). First, change the root passwd:

Code: Select all

sudo passwd
I sort of disagree with your assessment of what I was asking for here. I knew most of the steps already and I also knew that most of them didn't work to get the results I was looking for. Thankfully ripat was able to understand exactly what I was getting at and offered a clarification that solved the problem. Note that I did try "sudo passwd" before ripat made post#6 and this didn't seem to do anything to change the problem or shed any light on why it was happening.
I knew you did it, but that is for others that did not change the root passwd and I forgot to say that you had already did it. Sorry.
freespace wrote:
pickfire wrote: Second, change nopasswd to passwd:

Code: Select all

sed -i 's/NOPASSWD/PASSWD/' /etc/sudoers
ah well ripat beat you to the punch here, and using sed without explaining its use is a bit lacking for others who might read this post in the future. For those that didn't get what was said in pickfire's post here, sed is a stream editor that can take input from some source, make an edit and then output it to some target. Here the -i means case insensitive (if I'm remembering correctly, make sure to use "man sed" from the command line to check this) and the 's/ means to search for the first string given and replace it with the second one (shown in pickfire's comment above), where the target and source were the same, /etc/sudoers. Also note that you will see lots of warnings about only using visudo to edit the /etc/sudoers file both in the file itself and on various forums that discuss the matter and I'm not sure why that is but it might be smarter to use visudo instead of what is being suggested here by pickfire for that reason.
Well I did say to change NOPASSWD to PASSWD but just indirectly.
pickfire wrote:Second, change nopasswd to passwd:

Return to “Raspbian”