User and Permission Management for Raspberry Pi
Proper user and permission management is fundamental to Raspberry Pi security. Whether you're running a personal project or a multi-user server, understanding how Linux handles users, groups, and permissions will keep your system secure and organized.
Understanding Linux Users
Every process and file on your Raspberry Pi is owned by a user and a group. There are three types of users:
| Type |
UID Range |
Examples |
Purpose |
| Root |
0 |
root |
Superuser with full system access |
| System users |
1-999 |
www-data, nobody, sshd |
Run services with limited privileges |
| Regular users |
1000+ |
pi, alice, bob |
Human users |
| # See your current user
whoami
# See your user ID and groups
id
# List all users on the system
cat /etc/passwd | awk -F: '$3 >= 1000 {print $1}'
# List all logged-in users
who
|
Managing User Accounts
Creating a New User
| # Create a new user with home directory
sudo adduser alice
# You'll be prompted for password and optional info (name, phone, etc.)
# Or create without prompts (non-interactive)
sudo useradd -m -s /bin/bash -G sudo alice
sudo passwd alice
|
| Flag |
Meaning |
-m |
Create home directory |
-s /bin/bash |
Set default shell |
-G sudo |
Add to sudo group |
-e 2025-12-31 |
Set account expiry date |
-c "Alice Smith" |
Set user comment/full name |
Modifying a User
| # Change username
sudo usermod -l newname oldname
# Change home directory
sudo usermod -d /home/newname -m newname
# Lock a user account (disable login)
sudo usermod -L username
# Unlock a user account
sudo usermod -U username
# Set account expiry
sudo usermod -e 2025-12-31 username
# Change default shell
sudo usermod -s /bin/zsh username
|
Deleting a User
| # Remove user but keep home directory
sudo deluser username
# Remove user AND their home directory
sudo deluser --remove-home username
# Remove user and all their files everywhere
sudo deluser --remove-all-files username
|
Managing Groups
Groups allow you to assign permissions to multiple users at once. Common groups on Raspberry Pi:
| Group |
Purpose |
Members Should Be |
sudo |
Administrative access |
Trusted administrators only |
gpio |
GPIO pin access |
Users who need hardware control |
i2c |
I2C bus access |
Users running I2C devices |
spi |
SPI bus access |
Users running SPI devices |
video |
Video/camera access |
Users who need camera/display |
audio |
Audio device access |
Users who need sound |
docker |
Docker without sudo |
Docker users |
www-data |
Web server files |
Web developers |
Creating and Managing Groups
| # Create a new group
sudo groupadd developers
# Add user to a group
sudo usermod -aG developers alice
# -a = append (don't remove from other groups)
# -G = supplementary group
# Add user to multiple groups at once
sudo usermod -aG gpio,i2c,spi alice
# Remove user from a group
sudo gpasswd -d alice developers
# List groups for a user
groups alice
# List all members of a group
getent group developers
# Delete a group
sudo groupdel developers
|
The -a flag is critical
Without -a, usermod -G replaces all supplementary groups. Always use -aG to append. Forgetting -a can lock you out of sudo!
Creating Shared Directories
For teams working on the same files:
| # Create a shared project directory
sudo mkdir -p /opt/projects
sudo groupadd projectteam
sudo usermod -aG projectteam alice
sudo usermod -aG projectteam bob
# Set group ownership
sudo chown root:projectteam /opt/projects
# Set permissions: owner and group can read/write, others can't access
sudo chmod 2775 /opt/projects
# The '2' sets the setgid bit — new files inherit the group
|
The setgid bit (2xxx) ensures that any new files created in the directory automatically belong to the projectteam group, regardless of who creates them.
Understanding sudo
sudo (Superuser Do) allows permitted users to run commands as root. On Raspberry Pi OS, the default user (pi) has full sudo access.
How sudo Works
| # Run a single command as root
sudo apt update
# Open a root shell
sudo -i
# Run a command as a different user
sudo -u www-data command
# Edit a file that requires root (safe method)
sudo nano /etc/hosts
# Check if you have sudo access
sudo -v
|
Configuring sudo
The sudo configuration is in /etc/sudoers. Never edit it directly — always use visudo:
Common configurations:
| # Allow a user full sudo access (already default for 'pi')
alice ALL=(ALL:ALL) ALL
# Allow sudo without password (convenient but less secure)
alice ALL=(ALL:ALL) NOPASSWD: ALL
# Allow specific commands only (most secure)
alice ALL=(ALL:ALL) NOPASSWD: /usr/bin/apt update, /usr/bin/apt upgrade, /sbin/reboot
# Allow a group to sudo
%developers ALL=(ALL:ALL) ALL
# Allow GPIO access without sudo
alice ALL=(ALL:ALL) NOPASSWD: /usr/bin/pinctrl
|
Per-file sudoers configuration
Instead of editing the main sudoers file, create a file in /etc/sudoers.d/:
| echo "alice ALL=(ALL:ALL) NOPASSWD: /sbin/reboot" | sudo tee /etc/sudoers.d/alice
sudo chmod 440 /etc/sudoers.d/alice
|
File Permissions Deep Dive
Reading Permission Strings
| -rwxr-xr-- 1 alice developers 4096 Jun 20 10:30 script.sh
│╰─┬─╯╰─┬─╯╰─┬─╯ │ │ │ │ │ │
│ │ │ │ │ │ │ │ │ └─ filename
│ │ │ │ │ │ │ │ └─ modified date
│ │ │ │ │ │ │ └─ file size
│ │ │ │ │ │ └─ group owner
│ │ │ │ │ └─ user owner
│ │ │ │ └─ hard link count
│ │ │ └─ Others: r-- (read only)
│ │ └─ Group: r-x (read + execute)
│ └─ Owner: rwx (read + write + execute)
└─ Type: - (regular file), d (directory), l (symlink)
|
Setting Permissions
| # Numeric method
chmod 755 script.sh # rwxr-xr-x
chmod 644 config.txt # rw-r--r--
chmod 600 secret.key # rw-------
chmod 700 private_dir # rwx------
# Symbolic method
chmod u+x script.sh # Add execute for owner
chmod g+w shared_file # Add write for group
chmod o-r private_file # Remove read for others
chmod a+r public_file # Add read for all
chmod ug+rw,o-rwx file # Owner+group: rw, others: none
|
Special Permissions
| Permission |
Numeric |
Symbol |
On Files |
On Directories |
| Setuid |
4xxx |
s in owner execute |
Runs as file owner |
— |
| Setgid |
2xxx |
s in group execute |
Runs as file group |
New files inherit group |
| Sticky |
1xxx |
t in others execute |
— |
Only owner can delete files |
| # Set setgid on directory (new files inherit group)
chmod 2775 /opt/shared
# Set sticky bit (prevent others from deleting your files)
chmod 1777 /tmp # This is how /tmp works
# Find files with setuid set (security audit)
find / -perm -4000 -type f 2>/dev/null
|
Default Permissions (umask)
The umask determines default permissions for new files:
| # Check current umask
umask
# Common values:
# 022 → files: 644, dirs: 755 (default)
# 027 → files: 640, dirs: 750 (more restrictive)
# 077 → files: 600, dirs: 700 (very restrictive)
# Set umask for current session
umask 027
# Make permanent: add to ~/.bashrc
echo "umask 027" >> ~/.bashrc
|
SSH Key Management
SSH keys are more secure than passwords. Here's the complete setup:
Generating Keys
On your local machine (not the Pi):
| # Generate a modern ed25519 key (recommended)
ssh-keygen -t ed25519 -C "alice@laptop"
# Or RSA 4096-bit (wider compatibility)
ssh-keygen -t rsa -b 4096 -C "alice@laptop"
|
Deploying Keys
| # Method 1: ssh-copy-id (easiest)
ssh-copy-id -i ~/.ssh/id_ed25519.pub alice@raspberrypi.local
# Method 2: Manual
cat ~/.ssh/id_ed25519.pub | ssh alice@raspberrypi.local \
'mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys'
|
Securing SSH
After deploying keys, disable password authentication:
| # On the Pi:
sudo nano /etc/ssh/sshd_config
|
| # Disable password authentication
PasswordAuthentication no
# Disable root login
PermitRootLogin no
# Allow only specific users
AllowUsers alice bob
# Use only Protocol 2
Protocol 2
|
| sudo systemctl restart ssh
|
Managing Multiple Keys
| # On your local machine, create ~/.ssh/config
nano ~/.ssh/config
|
| Host pi-home
HostName 192.168.1.100
User alice
IdentityFile ~/.ssh/id_ed25519
Host pi-office
HostName 10.0.0.50
User admin
IdentityFile ~/.ssh/id_rsa_office
Port 2222
|
Now connect with just: ssh pi-home
Security Best Practices
1. Don't Use the Default pi User
On newer Raspberry Pi OS versions, you create a custom user during setup. On older versions:
| # Create a new user
sudo adduser myadmin
sudo usermod -aG sudo myadmin
# Test the new user can sudo
su - myadmin
sudo whoami # Should output: root
# Disable the pi account
sudo usermod -L pi
|
2. Set Password Policies
| # Install password quality checking
sudo apt install libpam-pwquality
# Configure password requirements
sudo nano /etc/security/pwquality.conf
|
| minlen = 10 # Minimum 10 characters
ucredit = -1 # At least 1 uppercase
lcredit = -1 # At least 1 lowercase
dcredit = -1 # At least 1 digit
ocredit = -1 # At least 1 special character
|
3. Set Login Attempt Limits
| # Install fail2ban to block brute-force attempts
sudo apt install fail2ban
# Configure (copy default config)
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
|
Key settings:
| [sshd]
enabled = true
port = ssh
filter = sshd
maxretry = 3
bantime = 3600 # Ban for 1 hour
findtime = 600 # Within 10 minutes
|
| sudo systemctl enable fail2ban
sudo systemctl restart fail2ban
# Check banned IPs
sudo fail2ban-client status sshd
|
4. Audit User Activity
| # Check login history
last -10
# Check failed login attempts
sudo lastb -10
# Check who's currently logged in
w
# Check sudo usage
sudo journalctl _COMM=sudo --since today
|
5. Regular Permission Audits
| # Find world-writable files (potential security risk)
find / -type f -perm -002 -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null
# Find files with no owner (orphaned files)
find / -nouser -o -nogroup 2>/dev/null
# Find setuid/setgid files (potential privilege escalation)
find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null
# Check sudoers configuration
sudo visudo -c
|
Quick Reference
Common Permission Patterns
| Permission |
Numeric |
Use Case |
rwxr-xr-x |
755 |
Scripts, programs, directories |
rw-r--r-- |
644 |
Config files, documents |
rw------- |
600 |
SSH keys, passwords, secrets |
rwx------ |
700 |
Private directories, .ssh/ |
rwxrwxr-x |
775 |
Shared group directories |
rwxrwxrwt |
1777 |
/tmp style directories |
Essential Commands Cheat Sheet
| # User management
sudo adduser username # Create user
sudo deluser username # Delete user
sudo passwd username # Change password
sudo usermod -aG group user # Add to group
# Permission management
chmod 755 file # Set permissions
chown user:group file # Change ownership
chown -R user:group dir/ # Recursive ownership
# Information
id username # User info
groups username # Group membership
getent group groupname # Group members
last -10 # Login history
|