CREATE NEW "SUDO" USER AND LIMIT "pi" USER 1. GENERAL OVERVIEW a. If not done previously, change Pi's default "Raspberry" password to a more secure, hard to guess, "NewPassword" b. Add new user "newuser" with the password "NewPassword" c. Make "newuser" a "sudoer" d. Reboot and verify that you can login as "newuser" and become "root" by the "sudo su" command NOTE: Do NOT go any further until you get step 'd' working!!!!! e. At this point both "pi" and "newuser" are both sudoers. If you log into tightvnc you'll be the "pi" user, and you can log into PuTTY as either "pi" or "newuser". f. Remove "pi" from sudoers and make sure it cannot "sudo su" after a reboot of the Pi. Also make sure "pi" can still log into tightvnc but is NOT a sudoer g. Take away some of "pi"s privileges and if desired even disable "pi" from being able to log directly into command mode via Putty (just as root cannot log in directly). Make sure "pi" can still log into the Pi Desktop. 2. DETAILS, COMMANDS and COMMENTS a. First add the "new user" account and password sudo adduser newuser After entering and verifying the password you will also be asked to enter additional info about "newuser". Enter what you want, or just keep pressing [Enter] until you get back to the command line. b. Now give "newuser" permission to become "root" Edit the /etc/sudoers file as root: NOTE: The "visudo" command makes a temporary copy of the "sudoers" file and starts the "nano" editor on that temporary file. If you change it and exit "nano" after saving the temporary file, it checks that the file is still valid, then copies it to the real "sudoers" and deletes the temporary file. This protects the real file in case something goes wrong while you are editing. sudo visudo Go to the last line, duplicate it, and change "pi" to "newuser" in the duplicate line, then save the temporary file. c. Now verify that "newuser" can login to Pi and become "root". sudo reboot Now login as newuser. Make sure you can become "root". sudo su NOTE: IF YOU COULD NOT LOGIN AS "newuser" OR YOU COULDN'T BECOME "root", DON'T GO ON FURTHER!!! GO BACK AND FIGURE OUT WHAT WENT WRONG! e. Now remove "pi" as a sudoer: sudo visudo Put "#" comment indicator at front of "pi" line so "pi" won't be a sudoer. Save the file. NOTE: Above wasn't enough. User "pi" was STILL a sudoer. This was because pi was still in the "sudo" group (as well as in many other groups). Look at the file /etc/group, look at "man" entry for "group", try out the "id -a" command and "Google" if you want to learn more about groups. So to finish taking away "sudo" permission from "pi": sudo nano /etc/group Remove pi from the end of the "sudo" group definition. Save the "group" file. f. Now verify that "pi" is no longer a sudoer: Become "pi" user. sudo su pi Now try to become root: sudo su That should have failed. If so, exit back to "newuser". exit At this point if you "tightvnc" into x11vnc on Pi, which attaches you to the X11 display :0, you will still be "pi" and still have "sudo" privileges. X11 started as "pi" while "pi" still was a "sudoer". You need to reboot to prevent this. sudo reboot g. Now you may want to remove some privileges from "pi". At this point the user "pi" can still log in and still has many group privileges. You want to keep the user "pi" since that allows you to get into the graphical X11 environment, but you may want to remove some of his privileges. To see what group privileges "pi" has just run the command: id -a pi To remove the "somegroup" privilege from "pi": sudo nano /etc/group Remove pi from the end of the "somegroup" definition. Save the "group" file and exit "nano". NOTE: In theory you could use the above method to remove privileges from user "pi". Be careful what you do in this regard unless you know what you are doing! You don't want to break things by mistake. h. For a little added security you may want to prevent user "pi" from logging in (just as "root" login is prevented). Be careful to use lower case "l", not the digit "1": sudo passwd -l pi Now user "pi" cannot log in directly using PuTTY, but can still log in to the graphical X11 Desktop by using tightvnc via x11vnc. That makes it more difficult for a hacker to SSH into the Pi using the default user "pi" by guessing the "pi" password. 3. SUMMARY The overall result of all these shenanigans are that they make the Pi a little more secure and give it the ability to operate "headlessly". Combined with other changes like: a. Giving "pi" a harder-to-guess password b. Changing the default SSH port c. Adding a new user with "sudo" privilege d. Removing "sudo" privilege from "pi" e. Disabling "pi" login except via X11 Desktop. f. Using SSH tunnel to log in remotely to the Pi Desktop. You still have to forward the new SSH port through your router, though this is not needed for use locally. For a little more security, setup port knocking for opening your new SSH port. Note that if you forward the default 5900 VNC port by mistake anyone could log in as "pi" to Desktop :0 by guessing the "pi" password without going through the tunnel.