Pi user-change or create new

[jp.s]

Hello,
I would like to make my Pi more secure and I would like to know the pros and cons of changing the user name from Pi to another, and creating a new user and deleting the Pi user.

Thanks for the help.
jp

[k-pi]

The pi user is quite entwined in Rasbian, there will be several other areas you need to change user name, there was/were a few posts about this subject a little while back, which you should be able to find by searching, but basically, it is easiest to just change the pi user's password.

[jp.s]

Thanks k-pi.
Yes, I did read that the Rasberry Pi is a bit entertwined with the user pi. That is why I am searching more info.
For example, what happens if you delete the user pi as directed in the help section of the raspberry pi: documentation>configuration>security>securing your raspberry pi.
I am having a hard time finding the pros and cons of deleting the pi user vs changing the pi user name.

Cheers,
jp

[epoch1970]

I have some doubt the string "pi" is hardcoded in too many places in the Desktop version but I could be wrong --and I wouldn't be alone in this case

As for Lite:

I would say creating new or renaming and moving the homedir is about the same. Creating new is safer: if you go wrong, scratch the user and try again.
A new user will have a different UID:GID. "pi" is 1000:1000, the next user will be 1001:1001. You could alter that later with usermod/groupmod
The different UID/GID is no problem until you start exchanging files with other machines, where 1000:1000 exists, but 1001:1001 does not. There are ways of managing that if the situation arises.

If you create a user and you want to give it pi powers, have a look at "id pi" and possibly /etc/sudoers. With usermod (and maybe a touch of visudo) you can fully clone the user pi.

[jp.s]

Thanks epoch1970.

It sounds like copying is safer then changing.

Merci,
jp

[HawaiianPi]

I usually create my own user then disable the pi user with,

Code: Select all

sudo passwd --lock pi

This kills the pi user password so pi can't login (although auto-login still works, so be sure to disable that).

I do change the pi user password initially, just to be safe while setting up new users. Then I change it again to a large random password before disabling pi. The random password is probably overkill, but it's simple to do with APG.

I haven't run into any problems with pi disabled, but if I do, creating a new password for pi makes it available again.

Use the command groups pi to see what groups the default user belongs to, then add your new user to all the same groups (except the pi group). Then you can use the command again with both names to compare (groups pi username).

In the /etc/sudoer.d folder you'll find the file 010_pi-nopasswd and you can either add your new user to that, or create a new file for your user with the same information (substituting your username). If you want to require your user to use their password, then change ALL=(ALL) NOPASSWD: ALL to ALL=(ALL:ALL) ALL in the file in sudoers.d (otherwise, for passwordless sudo, just copy the entry of the pi user).

[achrn]

I too would like to know what the terrible fate that will befall anyone that renames the pi user is, and where all these hard-coded problems lurk, because I've been doing it for years on multiple pis, and haven't found one of them yet. It all sounds like FUD or here-be-dragons to me.

Admittedly, I don't do it on a running pi - I mount the sd card and make some changes before first boot:

• change the name in /etc/passwd (both the user name and the home directory name)
• change the name in /etc/shadow
• change all the occurrences in /etc/group
• change all the occurrences in /etc/gshadow
• change all the occurrences in /etc/sudoers
• rename the home directory

Also, I did find problems with octopi a couple of years ago - on that I do now retain the 'pi' user.

I don't do all this manually each time:
(use at your own risk - I run this as root (i.e. sudo it) in the root directory of the mounted SD card)

Code: Select all

#!/bin/sh

# remind the user what they are up to
echo "Script to change username 'pi' in a new Raspberry Pi image"
echo "This should be run within root directory of a fresh disk image"
echo "BEFORE it has been booted for first time"
echo ""

# $USER is set in shell so don't need this
#USER=$(/usr/bin/whoami)
# check if root
echo "running as $USER"
[ $USER != 'root' ] && echo "aborting because need to run as root" && exit 1
echo ""

# get the new user name
read -p "Enter username to replace 'pi': " NEWNAME
# bail out if blank
[ -z $NEWNAME ] && echo "aborting because no name provided" && exit 1
echo ""

# ask if they want to proceed
echo "Renaming 'pi' user to '$NEWNAME'"
# get a confirmation response,
read -p "proceed? " RESPONSE
# convert to lower case and just first character
RESPONSE=$(echo "$RESPONSE" | tr '[:upper:]' '[:lower:]' | cut -c 1)
# bail out unless that was 'y'
[ $RESPONSE != 'y' ] && exit 1

# passwd file has username as first field, and also update the home directory
echo "etc/passwd ..."
echo "============"
cp etc/passwd etc/passwd_pre-rename
/bin/sed -i -r -e "s/^pi:/$NEWNAME:/1" etc/passwd
# change home directory
# note using # as sed substitute character to avoid trouble with directory '/' chars
/bin/sed -i -r -e "s#:/home/pi:#:/home/$NEWNAME:#1" etc/passwd
/bin/grep -e ^$NEWNAME etc/passwd
echo ""

# shadow file has username as first field
echo "etc/shadow ..."
echo "============"
cp etc/shadow etc/shadow_pre-rename
/bin/sed -i -r -e "s/^pi:/$NEWNAME:/1" etc/shadow
/bin/grep -e ^$NEWNAME etc/shadow
echo ""

# group file has list of usernames as last field
echo "etc/group ..."
echo "============"
cp etc/group etc/group_pre-rename
# rename the group that is called pi
/bin/sed -i -r -e "s/^pi:/$NEWNAME:/1" etc/group
/bin/grep -e ^$NEWNAME etc/group
# now rename all the usernames within groups
# this is where only a single user is in the group
/bin/sed -i -r -e "s/:pi$/:$NEWNAME/1" etc/group
# pi is first / mid / last user in a multi-user group respectively 
/bin/sed -i -r -e "s/^(.*:.*:.*:)pi,(.*)$/\1$NEWNAME,\2/1" etc/group
/bin/sed -i -r -e "s/^(.*:.*:.*:.*),pi,(.*)$/\1,$NEWNAME,\2/1" etc/group
/bin/sed -i -r -e "s/^(.*:.*:.*:.*),pi$/\1,$NEWNAME/1" etc/group
/bin/grep -e ".*:.*:.*:.*$NEWNAME" etc/group
echo ""

# gshadow file is same structure as group
echo "etc/gshadow ..."
echo "============"
cp etc/gshadow etc/gshadow_pre-rename
# rename the group that is called pi
/bin/sed -i -r -e "s/^pi:/$NEWNAME:/1" etc/gshadow
/bin/grep -e ^$NEWNAME etc/gshadow
# now rename all the usernames within groups
# this is where only a single user is in the group
/bin/sed -i -r -e "s/:pi$/:$NEWNAME/1" etc/gshadow
# pi is first / mid / last user in a multi-user group respectively 
/bin/sed -i -r -e "s/^(.*:.*:.*:)pi,(.*)$/\1$NEWNAME,\2/1" etc/gshadow
/bin/sed -i -r -e "s/^(.*:.*:.*:.*),pi,(.*)$/\1,$NEWNAME,\2/1" etc/gshadow
/bin/sed -i -r -e "s/^(.*:.*:.*:.*),pi$/\1,$NEWNAME/1" etc/gshadow
/bin/grep -e ".*:.*:.*:.*$NEWNAME" etc/gshadow
echo ""

# sudowers file has username as first field, with whitespace as separator
echo "etc/sudoers ..."
echo "============"
cp etc/sudoers etc/sudoers_pre-rename
# rename pi entry
/bin/sed -i -r -e "s/^pi(\s)/$NEWNAME\1/1" etc/sudoers
/bin/grep -e ^$NEWNAME etc/sudoers
echo ""

# rename home directory
echo "rename home directory ..."
echo "============"
/bin/mv home/pi home/$NEWNAME
ls -l home
echo ""

[fbe]

I usually create my own user then disable the pi user with,

Code: Select all

sudo passwd --lock pi

This kills the pi user password so pi can't login (although auto-login still works, so be sure to disable that).

... and remove the pi-greeter package. You can use the lightdm-gtk-greeter instead. I had an update of pi-greeter today. Auto-login was automatically enabled by the update.

Code: Select all

pi@raspberrypi:~ $ cat /var/lib/dpkg/info/pi-greeter.postinst
#!/bin/sh

set -e

if [ "$1" = "configure" ]; then
  update-alternatives --install /usr/share/xgreeters/lightdm-greeter.desktop \
  lightdm-greeter /usr/share/xgreeters/pi-greeter.desktop 70
  if [ -e /etc/lightdm/lightdm.conf ] ; then
    sed -i /etc/lightdm/lightdm.conf -e "s/#greeter-hide-users=.*/greeter-hide-users=false/"
    sed -i /etc/lightdm/lightdm.conf -e "s/#greeter-session=.*/greeter-session=pi-greeter/"
    sed -i /etc/lightdm/lightdm.conf -e "s/#autologin-user=.*/autologin-user=pi/"
  fi
fi



exit 0
pi@raspberrypi:~ $ cat /etc/lightdm/lightdm.conf | grep autologin-user
# autologin-user = User to log in with by default (overrides autologin-guest)
# autologin-user-timeout = Number of seconds to wait before loading default user
autologin-user=pi
#autologin-user-timeout=0
pi@raspberrypi:~ $ sudo raspi-config
pi@raspberrypi:~ $ cat /etc/lightdm/lightdm.conf | grep autologin-user
# autologin-user = User to log in with by default (overrides autologin-guest)
# autologin-user-timeout = Number of seconds to wait before loading default user
#autologin-user=
#autologin-user-timeout=0
pi@raspberrypi:~ $ sudo sed -i /etc/lightdm/lightdm.conf -e "s/#autologin-user=.*/autologin-user=pi/"
pi@raspberrypi:~ $ cat /etc/lightdm/lightdm.conf | grep autologin-user
# autologin-user = User to log in with by default (overrides autologin-guest)
# autologin-user-timeout = Number of seconds to wait before loading default user
autologin-user=pi
#autologin-user-timeout=0
pi@raspberrypi:~ $

Works as designed.

[jp.s]

Thank you all for the great info.

I ended up making a new user and removing the pi user--I did this before I saw the last few posts.
So far so good.

Cheers,
jp

[fbe]

If you are asked by a dialog window to authenticate as "pi" or "root" (or root only) look into /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf
I'm using xrdp and get this dialog when selecting anything other than logoff in the shutdown dialog.

something like

Code: Select all

[Configuration]
AdminIdentities=unix-group:sudo;unix-user:0

could be less stupid.

This file belongs to the raspberry-pi-ui-mods package.

I believe, if you edit it, you are asked on updates of this package, how to proceed (keep your version, use the packager's version ...)

Actually the Raspberry Pi Desktop should better be called "Pi Desktop". It appears that it is not supposed to work for other users than pi.

[jp.s]

Hi All,

I've got my first problem:

After creating a new user and deleting user pi.
I can not longer save a pdf with chromium. Chromium starts the downloads and then stops saying "Failed - Insufficient permissions"

I have been trying to figure out who doesn't have permissions? Me the user, or Chromium. I think it might be me since I can't copy things in my own folders through the gui. I have been trying to read up on owners and groups but i am getting a little lost.

Can any of you help me figure this one out.

Thanks,
jp

[Paul Hutch]

For Raspberry Pi's in a network where I control the security, I just change the password of the pi user.

For Pi's that will end up on a network I don't control the security of I create a new user and disable the pi user with these steps.

• Create a new user:

  Code: Select all

  sudo adduser newusername

• Add the new user to the same groups as user pi:

  Code: Select all

  sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio newusername

• Logout and then login as the new user
• Lockout (retire) the pi user by locking and expiring the account and setting its shell to false.

  Code: Select all

  sudo usermod -L -s /bin/false -e 1 pi

[SKarp]

I too would like to know what the terrible fate that will befall anyone that renames the pi user is, and where all these hard-coded problems lurk, because I've been doing it for years on multiple pis, and haven't found one of them yet. It all sounds like FUD or here-be-dragons to me.

Insert laughter here.

Admittedly, I don't do it on a running pi - I mount the sd card and make some changes before first boot:

I just wanted to say thank you for this. I tried your script on a new installation and it worked like a charm.

There was a series of authentication errors on the first boot when it tried to log in as pi, but then it seemed to give up and prompted me for the password for the account name I'd set up. Desktop appeared, and all was fine.

Since this was for a server, I didn't bother to dig into the autologin setup, but just went through raspi-config to disable the gui.

No problems found so far.