Geek Stuff > Tutorials > The Raspberry Pi Superuser > Forcing a password for sudo

Forcing a password for sudo

Introduction

Welcome back to the Raspberry Pi Superuser! In the last tutorial, we installed Java 8 and set up a trc server on our Raspberry Pi 2. In this tutorial, we'll increase security on the Pi by forcing password entry when the sudo command is invoked.

Ready? Let's get started.



Why would I want to do this?

You may already be wondering what benefit there is to forcing users to enter their password when invoking the sudo command. In the case of single-user Pis, forcing password entry increases security in scenarios where you're away from the keyboard, as random passersby aren't able to instantly gain root access to your Pi.

Someone with root access to your Pi has total control over nearly all system files, and as such it's a good idea to only allow access to a regular user account and prevent root access with your password.



How do I set this up?

In order to force password entry, you're going to need to edit the /etc/sudoers file. In order to accomplish this, execute the command:

sudo visudo

By default, your /etc/sudoers file should look like this:

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
pi ALL=(ALL) NOPASSWD: ALL

In order to force password entry, we're going to have to change two lines in this file. Comment out the last line of the file by adding a # sign at the beginning, then add the line

pi      ALL=(ALL:ALL) ALL

below the root line under # User privilege specification. Your file should now appear as:

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL
pi      ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
#pi ALL=(ALL) NOPASSWD: ALL

Press Ctrl-X to exit nano, and make sure to specify 'yes' when asked if you want to save the modified buffer. Now, to verify that our changes were properly committed, run the following:

sudo echo it worked!

You should receive the output:

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for pi:
it worked!

and be prompted for your password for the pi user.