0

I don't want pi to be able to use sudo on a recently installed Raspbian on PI 3.

I made the following unsuccessful attempts:

  • removed pi from sudo group (and made sure it indeed does not belong to it)

  • removed pi from adm group

  • modified pi ALL=(ALL) NOPASSWD: ALL ALL in /etc/sudoers/sudoers.d/010_pi_nopasswd to pi ALL=(ALL) ALL: ALL

  • commented out pi ALL=(ALL) NOPASSWD: ALL ALL in /etc/sudoers/sudoers.d/010_pi_nopasswd

  • renamed /etc/sudoers/sudoers.d/010_pi_nopasswd

  • commented out %sudo ALL=(ALL:ALL) ALL in /etc/sudoers (there is no explicit entry for pi /etc/sudoers)

but after logging out/logging in and even rebooting pi still will sudo.

I am now following the advice posted in How to change Pi sudo permissions as apparently another user had this same issue: I have created a new user and will delete pi, but I still would like to understand what is going on. I imagine there is some other default setting the overrides group settings or group settings as listed on the command line, but even gpasswd confirms that pi does not belong to sudo.

(Finally, I was able to prevent sudo from working for pi by using incorrect syntax in the file /etc/sudoers/sudoers.d/010_pi_nopasswd, but this is a clumsy solution if ever there was one.)

Thanks!

Pierre

pierre
  • 1
  • NONE of the files you mention actually exist. If you succeed I presume you NEVER want to update your system. – Milliways Jun 03 '17 at 23:34

1 Answers1

4

I was able to prevent sudo from working for pi by using incorrect syntax in the file /etc/sudoers/sudoers.d/010_pi_nopasswd

If you've removed pi from the sudo group and you don't want to use the command at all with pi, you can just delete that file. Renaming it won't do anything, and there's no point to it if you are just getting it ignored by botching the syntax.

It is not required. See the README in the same directory for more explanation.

goldilocks
  • 58,859
  • 17
  • 112
  • 227