Einar's blog

Insecure sudo settings in RaspberryPi OS

I have a RaspberryPi 5. Since Debian does not supply an image for use with the RPi5 and Ubuntu Server comes with a lot of software I do not want preinstalled, I use RaspberryPi OS Lite and run my own script to set it up with Sway and the other packages I like. It is very similar to Debian even if it adds an extra repo, some settings that are different and a few programs for changing settings, both directly related to the hardware and some that replicate standard tools like localectl, passwd, systemctl enable etc in a more convenient TUI.

For a while, I have wondered why I only needed to write my password once when using sudo and then never again. It means that if you are logged in as your user, you have all the privileges of root if you just once wrote your password. It is convenient, but it is like logging in with the root user which is not a very good idea.

I had a look at visudo, the command to change the settings for sudo and everything looked quite normal. Except that in the end, the file sources any file in the directory /etc/sudoers.d/. So naturally, I had a look in that directory. There are some files there that cause problems. The first one is 010_pi-nopasswd which sets up sudo to never time out the sudo password typed by the first user created on the system.

Another is that sudo isn't per shell, terminal or tty, but global. This is in the file /etc/sudoers.d/010_global_tty. Usually, you would have to type your password to get sudo privileges in each terminal, shell or tty, but on RaspberryPi OS, sudo accepts the password I typed once in tty1 in every shell, terminal or tty.

Finally, there is a file called 010_proxy which accepts sudo from any proxy logged in as the first user, ie since I typed a password once in tty1, any proxy logged in as me doesn't have to type a password ever again to escalate privileges with sudo. Not the best setting either.

To mitigate the problem, you should make sure you are added to the sudo group by typing sudo usermod -aG sudo username in a terminal and press return, but replace username with your actual username. This is because we are going to delete the file that lets your users type your sudo password only once, but still want your user to be able to use sudo. The sudoers file on RaspberryPi OS is set up so users in the sudo group can use sudo.

Then you should write sudo rm /etc/sudoers.d/010_pi-nopasswd and return to delete the file that gives your user the ability to only type your password once. Continue with sudo rm /etc/sudoers.d/010_global-tty and return to remove the settings that doesn't ask for a new password in every tty, terminal or shell. Go on with sudo rm /etc/sudoers.d/010_proxy and return to avoid proxies not having to write a password. Finally, write sudo visudo and look for a line that says Defaults env_reset. Move your cursor to the end of that line with the cursor keys and hit return to get a new line. Write Defaults timestamp_timeout=5 to get a five minute timeout for sudo. Then press ctrl-o, return when it asks for a filename to save to and then ctrl-x to quit Nano. (RaspberryPi OS does not respect your settings for $EDITOR and will use Nano.)

My installscript for Debian checks if I am on RaspberryPi OS and does the things I have listed above, except add the timeout in the sudoers file. It is supposed to be edited only with visudo, so I tell the user to do this manually in the end of my script. (It also checks if the user is on Debian or RaspberryPi OS and installs Firefox on RaspberryPi OS and Firefox-ESR (Extended Support Releas) on Debian. (I tried installing Firefox from Debian Unstable first, but there were dpendency problems with that approach.) Emacs is installed from Backports to get then newest one backported to work with Debian Stable, whether you are on RaspberryPi OS or Debian. In the past, I used the Emacs snap, but Emacs from backports is faster and I trust the Debian maintainers more than the proprietary Snap Store. Since Debian has a stricter interpretation of what Free Software is than the FSF, I also have to install the non-free repos to install Emacs documentation.)



All content is shared under the terms of the Creative Commons Attribution-ShareAlike license.