jp.s
Posts: 5
Joined: Sat Nov 24, 2018 4:30 pm

Pi user-change or create new

Sat Nov 24, 2018 4:40 pm

Hello,
I would like to make my Pi more secure and I would like to know the pros and cons of changing the user name from Pi to another, and creating a new user and deleting the Pi user.

Thanks for the help.
jp

k-pi
Posts: 929
Joined: Sun Feb 12, 2017 1:46 pm
Location: Upper Hale, Surrey, UK.

Re: Pi user-change or create new

Sat Nov 24, 2018 6:34 pm

The pi user is quite entwined in Rasbian, there will be several other areas you need to change user name, there was/were a few posts about this subject a little while back, which you should be able to find by searching, but basically, it is easiest to just change the pi user's password. 8-)

jp.s
Posts: 5
Joined: Sat Nov 24, 2018 4:30 pm

Re: Pi user-change or create new

Sat Nov 24, 2018 6:53 pm

Thanks k-pi.
Yes, I did read that the Rasberry Pi is a bit entertwined with the user pi. That is why I am searching more info.
For example, what happens if you delete the user pi as directed in the help section of the raspberry pi: documentation>configuration>security>securing your raspberry pi.
I am having a hard time finding the pros and cons of deleting the pi user vs changing the pi user name.

Cheers,
jp

epoch1970
Posts: 7730
Joined: Thu May 05, 2016 9:33 am
Location: France

Re: Pi user-change or create new

Sat Nov 24, 2018 7:13 pm

I have some doubt the string "pi" is hardcoded in too many places in the Desktop version but I could be wrong --and I wouldn't be alone in this case :)

As for Lite:

I would say creating new or renaming and moving the homedir is about the same. Creating new is safer: if you go wrong, scratch the user and try again.
A new user will have a different UID:GID. "pi" is 1000:1000, the next user will be 1001:1001. You could alter that later with usermod/groupmod
The different UID/GID is no problem until you start exchanging files with other machines, where 1000:1000 exists, but 1001:1001 does not. There are ways of managing that if the situation arises.

If you create a user and you want to give it pi powers, have a look at "id pi" and possibly /etc/sudoers. With usermod (and maybe a touch of visudo) you can fully clone the user pi.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

jp.s
Posts: 5
Joined: Sat Nov 24, 2018 4:30 pm

Re: Pi user-change or create new

Sat Nov 24, 2018 7:24 pm

Thanks epoch1970.

It sounds like copying is safer then changing.

Merci,
jp

User avatar
HawaiianPi
Posts: 7129
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: Pi user-change or create new

Sun Nov 25, 2018 5:27 am

I usually create my own user then disable the pi user with,

Code: Select all

sudo passwd --lock pi
This kills the pi user password so pi can't login (although auto-login still works, so be sure to disable that).

I do change the pi user password initially, just to be safe while setting up new users. Then I change it again to a large random password before disabling pi. The random password is probably overkill, but it's simple to do with APG.

I haven't run into any problems with pi disabled, but if I do, creating a new password for pi makes it available again.

Use the command groups pi to see what groups the default user belongs to, then add your new user to all the same groups (except the pi group). Then you can use the command again with both names to compare (groups pi username).

In the /etc/sudoer.d folder you'll find the file 010_pi-nopasswd and you can either add your new user to that, or create a new file for your user with the same information (substituting your username). If you want to require your user to use their password, then change ALL=(ALL) NOPASSWD: ALL to ALL=(ALL:ALL) ALL in the file in sudoers.d (otherwise, for passwordless sudo, just copy the entry of the pi user).
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups, and where is that annoying music coming from?

achrn
Posts: 452
Joined: Wed Feb 13, 2013 1:22 pm

Re: Pi user-change or create new

Sun Nov 25, 2018 8:52 am

I too would like to know what the terrible fate that will befall anyone that renames the pi user is, and where all these hard-coded problems lurk, because I've been doing it for years on multiple pis, and haven't found one of them yet. It all sounds like FUD or here-be-dragons to me.

Admittedly, I don't do it on a running pi - I mount the sd card and make some changes before first boot:
  • change the name in /etc/passwd (both the user name and the home directory name)
  • change the name in /etc/shadow
  • change all the occurrences in /etc/group
  • change all the occurrences in /etc/gshadow
  • change all the occurrences in /etc/sudoers
  • rename the home directory
Also, I did find problems with octopi a couple of years ago - on that I do now retain the 'pi' user.

I don't do all this manually each time:
(use at your own risk - I run this as root (i.e. sudo it) in the root directory of the mounted SD card)

Code: Select all

#!/bin/sh

# remind the user what they are up to
echo "Script to change username 'pi' in a new Raspberry Pi image"
echo "This should be run within root directory of a fresh disk image"
echo "BEFORE it has been booted for first time"
echo ""

# $USER is set in shell so don't need this
#USER=$(/usr/bin/whoami)
# check if root
echo "running as $USER"
[ $USER != 'root' ] && echo "aborting because need to run as root" && exit 1
echo ""

# get the new user name
read -p "Enter username to replace 'pi': " NEWNAME
# bail out if blank
[ -z $NEWNAME ] && echo "aborting because no name provided" && exit 1
echo ""

# ask if they want to proceed
echo "Renaming 'pi' user to '$NEWNAME'"
# get a confirmation response,
read -p "proceed? " RESPONSE
# convert to lower case and just first character
RESPONSE=$(echo "$RESPONSE" | tr '[:upper:]' '[:lower:]' | cut -c 1)
# bail out unless that was 'y'
[ $RESPONSE != 'y' ] && exit 1

# passwd file has username as first field, and also update the home directory
echo "etc/passwd ..."
echo "============"
cp etc/passwd etc/passwd_pre-rename
/bin/sed -i -r -e "s/^pi:/$NEWNAME:/1" etc/passwd
# change home directory
# note using # as sed substitute character to avoid trouble with directory '/' chars
/bin/sed -i -r -e "s#:/home/pi:#:/home/$NEWNAME:#1" etc/passwd
/bin/grep -e ^$NEWNAME etc/passwd
echo ""

# shadow file has username as first field
echo "etc/shadow ..."
echo "============"
cp etc/shadow etc/shadow_pre-rename
/bin/sed -i -r -e "s/^pi:/$NEWNAME:/1" etc/shadow
/bin/grep -e ^$NEWNAME etc/shadow
echo ""

# group file has list of usernames as last field
echo "etc/group ..."
echo "============"
cp etc/group etc/group_pre-rename
# rename the group that is called pi
/bin/sed -i -r -e "s/^pi:/$NEWNAME:/1" etc/group
/bin/grep -e ^$NEWNAME etc/group
# now rename all the usernames within groups
# this is where only a single user is in the group
/bin/sed -i -r -e "s/:pi$/:$NEWNAME/1" etc/group
# pi is first / mid / last user in a multi-user group respectively 
/bin/sed -i -r -e "s/^(.*:.*:.*:)pi,(.*)$/\1$NEWNAME,\2/1" etc/group
/bin/sed -i -r -e "s/^(.*:.*:.*:.*),pi,(.*)$/\1,$NEWNAME,\2/1" etc/group
/bin/sed -i -r -e "s/^(.*:.*:.*:.*),pi$/\1,$NEWNAME/1" etc/group
/bin/grep -e ".*:.*:.*:.*$NEWNAME" etc/group
echo ""

# gshadow file is same structure as group
echo "etc/gshadow ..."
echo "============"
cp etc/gshadow etc/gshadow_pre-rename
# rename the group that is called pi
/bin/sed -i -r -e "s/^pi:/$NEWNAME:/1" etc/gshadow
/bin/grep -e ^$NEWNAME etc/gshadow
# now rename all the usernames within groups
# this is where only a single user is in the group
/bin/sed -i -r -e "s/:pi$/:$NEWNAME/1" etc/gshadow
# pi is first / mid / last user in a multi-user group respectively 
/bin/sed -i -r -e "s/^(.*:.*:.*:)pi,(.*)$/\1$NEWNAME,\2/1" etc/gshadow
/bin/sed -i -r -e "s/^(.*:.*:.*:.*),pi,(.*)$/\1,$NEWNAME,\2/1" etc/gshadow
/bin/sed -i -r -e "s/^(.*:.*:.*:.*),pi$/\1,$NEWNAME/1" etc/gshadow
/bin/grep -e ".*:.*:.*:.*$NEWNAME" etc/gshadow
echo ""

# sudowers file has username as first field, with whitespace as separator
echo "etc/sudoers ..."
echo "============"
cp etc/sudoers etc/sudoers_pre-rename
# rename pi entry
/bin/sed -i -r -e "s/^pi(\s)/$NEWNAME\1/1" etc/sudoers
/bin/grep -e ^$NEWNAME etc/sudoers
echo ""

# rename home directory
echo "rename home directory ..."
echo "============"
/bin/mv home/pi home/$NEWNAME
ls -l home
echo ""

fbe
Posts: 689
Joined: Thu Aug 17, 2017 9:08 pm

Re: Pi user-change or create new

Sun Nov 25, 2018 12:17 pm

HawaiianPi wrote:
Sun Nov 25, 2018 5:27 am
I usually create my own user then disable the pi user with,

Code: Select all

sudo passwd --lock pi
This kills the pi user password so pi can't login (although auto-login still works, so be sure to disable that).
... and remove the pi-greeter package. You can use the lightdm-gtk-greeter instead. I had an update of pi-greeter today. Auto-login was automatically enabled by the update.

Code: Select all

pi@raspberrypi:~ $ cat /var/lib/dpkg/info/pi-greeter.postinst
#!/bin/sh

set -e

if [ "$1" = "configure" ]; then
  update-alternatives --install /usr/share/xgreeters/lightdm-greeter.desktop \
  lightdm-greeter /usr/share/xgreeters/pi-greeter.desktop 70
  if [ -e /etc/lightdm/lightdm.conf ] ; then
    sed -i /etc/lightdm/lightdm.conf -e "s/#greeter-hide-users=.*/greeter-hide-users=false/"
    sed -i /etc/lightdm/lightdm.conf -e "s/#greeter-session=.*/greeter-session=pi-greeter/"
    sed -i /etc/lightdm/lightdm.conf -e "s/#autologin-user=.*/autologin-user=pi/"
  fi
fi



exit 0
pi@raspberrypi:~ $ cat /etc/lightdm/lightdm.conf | grep autologin-user
# autologin-user = User to log in with by default (overrides autologin-guest)
# autologin-user-timeout = Number of seconds to wait before loading default user
autologin-user=pi
#autologin-user-timeout=0
pi@raspberrypi:~ $ sudo raspi-config
pi@raspberrypi:~ $ cat /etc/lightdm/lightdm.conf | grep autologin-user
# autologin-user = User to log in with by default (overrides autologin-guest)
# autologin-user-timeout = Number of seconds to wait before loading default user
#autologin-user=
#autologin-user-timeout=0
pi@raspberrypi:~ $ sudo sed -i /etc/lightdm/lightdm.conf -e "s/#autologin-user=.*/autologin-user=pi/"
pi@raspberrypi:~ $ cat /etc/lightdm/lightdm.conf | grep autologin-user
# autologin-user = User to log in with by default (overrides autologin-guest)
# autologin-user-timeout = Number of seconds to wait before loading default user
autologin-user=pi
#autologin-user-timeout=0
pi@raspberrypi:~ $

Works as designed. :twisted:

jp.s
Posts: 5
Joined: Sat Nov 24, 2018 4:30 pm

Re: Pi user-change or create new

Sun Nov 25, 2018 6:01 pm

Thank you all for the great info.

I ended up making a new user and removing the pi user--I did this before I saw the last few posts.
So far so good.

Cheers,
jp

fbe
Posts: 689
Joined: Thu Aug 17, 2017 9:08 pm

Re: Pi user-change or create new

Sun Nov 25, 2018 7:47 pm

If you are asked by a dialog window to authenticate as "pi" or "root" (or root only) look into /etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf
I'm using xrdp and get this dialog when selecting anything other than logoff in the shutdown dialog.

something like

Code: Select all

[Configuration]
AdminIdentities=unix-group:sudo;unix-user:0
could be less stupid.

This file belongs to the raspberry-pi-ui-mods package.

I believe, if you edit it, you are asked on updates of this package, how to proceed (keep your version, use the packager's version ...)

Actually the Raspberry Pi Desktop should better be called "Pi Desktop". It appears that it is not supposed to work for other users than pi.

jp.s
Posts: 5
Joined: Sat Nov 24, 2018 4:30 pm

Re: Pi user-change or create new

Mon Nov 26, 2018 2:28 am

Hi All,

I've got my first problem:

After creating a new user and deleting user pi.
I can not longer save a pdf with chromium. Chromium starts the downloads and then stops saying "Failed - Insufficient permissions"

I have been trying to figure out who doesn't have permissions? Me the user, or Chromium. I think it might be me since I can't copy things in my own folders through the gui. I have been trying to read up on owners and groups but i am getting a little lost.

Can any of you help me figure this one out.

Thanks,
jp

Paul Hutch
Posts: 663
Joined: Fri Aug 25, 2017 2:58 pm
Location: Blackstone River Valley, MA, USA

Re: Pi user-change or create new

Mon Nov 26, 2018 4:45 pm

For Raspberry Pi's in a network where I control the security, I just change the password of the pi user.

For Pi's that will end up on a network I don't control the security of I create a new user and disable the pi user with these steps.
  • Create a new user:

    Code: Select all

    sudo adduser newusername
  • Add the new user to the same groups as user pi:

    Code: Select all

    sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio newusername
  • Logout and then login as the new user
  • Lockout (retire) the pi user by locking and expiring the account and setting its shell to false.

    Code: Select all

    sudo usermod -L -s /bin/false -e 1 pi

SKarp
Posts: 2
Joined: Sat Jun 30, 2012 6:26 pm

Re: Pi user-change or create new

Sun Jan 20, 2019 5:47 pm

achrn wrote:
Sun Nov 25, 2018 8:52 am
I too would like to know what the terrible fate that will befall anyone that renames the pi user is, and where all these hard-coded problems lurk, because I've been doing it for years on multiple pis, and haven't found one of them yet. It all sounds like FUD or here-be-dragons to me.
Insert laughter here.
achrn wrote:
Sun Nov 25, 2018 8:52 am
Admittedly, I don't do it on a running pi - I mount the sd card and make some changes before first boot:
I just wanted to say thank you for this. I tried your script on a new installation and it worked like a charm.

There was a series of authentication errors on the first boot when it tried to log in as pi, but then it seemed to give up and prompted me for the password for the account name I'd set up. Desktop appeared, and all was fine.

Since this was for a server, I didn't bother to dig into the autologin setup, but just went through raspi-config to disable the gui.

No problems found so far.

Return to “General discussion”