Skip to content

User and Permission Management for Raspberry Pi

Proper user and permission management is fundamental to Raspberry Pi security. Whether you're running a personal project or a multi-user server, understanding how Linux handles users, groups, and permissions will keep your system secure and organized.

Understanding Linux Users

Every process and file on your Raspberry Pi is owned by a user and a group. There are three types of users:

Type UID Range Examples Purpose
Root 0 root Superuser with full system access
System users 1-999 www-data, nobody, sshd Run services with limited privileges
Regular users 1000+ pi, alice, bob Human users
# See your current user
whoami

# See your user ID and groups
id

# List all users on the system
cat /etc/passwd | awk -F: '$3 >= 1000 {print $1}'

# List all logged-in users
who

Managing User Accounts

Creating a New User

1
2
3
4
5
6
7
# Create a new user with home directory
sudo adduser alice
# You'll be prompted for password and optional info (name, phone, etc.)

# Or create without prompts (non-interactive)
sudo useradd -m -s /bin/bash -G sudo alice
sudo passwd alice
Flag Meaning
-m Create home directory
-s /bin/bash Set default shell
-G sudo Add to sudo group
-e 2025-12-31 Set account expiry date
-c "Alice Smith" Set user comment/full name

Modifying a User

# Change username
sudo usermod -l newname oldname

# Change home directory
sudo usermod -d /home/newname -m newname

# Lock a user account (disable login)
sudo usermod -L username

# Unlock a user account
sudo usermod -U username

# Set account expiry
sudo usermod -e 2025-12-31 username

# Change default shell
sudo usermod -s /bin/zsh username

Deleting a User

1
2
3
4
5
6
7
8
# Remove user but keep home directory
sudo deluser username

# Remove user AND their home directory
sudo deluser --remove-home username

# Remove user and all their files everywhere
sudo deluser --remove-all-files username

Managing Groups

Groups allow you to assign permissions to multiple users at once. Common groups on Raspberry Pi:

Group Purpose Members Should Be
sudo Administrative access Trusted administrators only
gpio GPIO pin access Users who need hardware control
i2c I2C bus access Users running I2C devices
spi SPI bus access Users running SPI devices
video Video/camera access Users who need camera/display
audio Audio device access Users who need sound
docker Docker without sudo Docker users
www-data Web server files Web developers

Creating and Managing Groups

# Create a new group
sudo groupadd developers

# Add user to a group
sudo usermod -aG developers alice
# -a = append (don't remove from other groups)
# -G = supplementary group

# Add user to multiple groups at once
sudo usermod -aG gpio,i2c,spi alice

# Remove user from a group
sudo gpasswd -d alice developers

# List groups for a user
groups alice

# List all members of a group
getent group developers

# Delete a group
sudo groupdel developers

The -a flag is critical

Without -a, usermod -G replaces all supplementary groups. Always use -aG to append. Forgetting -a can lock you out of sudo!

Creating Shared Directories

For teams working on the same files:

# Create a shared project directory
sudo mkdir -p /opt/projects
sudo groupadd projectteam
sudo usermod -aG projectteam alice
sudo usermod -aG projectteam bob

# Set group ownership
sudo chown root:projectteam /opt/projects

# Set permissions: owner and group can read/write, others can't access
sudo chmod 2775 /opt/projects
# The '2' sets the setgid bit — new files inherit the group

The setgid bit (2xxx) ensures that any new files created in the directory automatically belong to the projectteam group, regardless of who creates them.

Understanding sudo

sudo (Superuser Do) allows permitted users to run commands as root. On Raspberry Pi OS, the default user (pi) has full sudo access.

How sudo Works

# Run a single command as root
sudo apt update

# Open a root shell
sudo -i

# Run a command as a different user
sudo -u www-data command

# Edit a file that requires root (safe method)
sudo nano /etc/hosts

# Check if you have sudo access
sudo -v

Configuring sudo

The sudo configuration is in /etc/sudoers. Never edit it directly — always use visudo:

sudo visudo

Common configurations:

# Allow a user full sudo access (already default for 'pi')
alice ALL=(ALL:ALL) ALL

# Allow sudo without password (convenient but less secure)
alice ALL=(ALL:ALL) NOPASSWD: ALL

# Allow specific commands only (most secure)
alice ALL=(ALL:ALL) NOPASSWD: /usr/bin/apt update, /usr/bin/apt upgrade, /sbin/reboot

# Allow a group to sudo
%developers ALL=(ALL:ALL) ALL

# Allow GPIO access without sudo
alice ALL=(ALL:ALL) NOPASSWD: /usr/bin/pinctrl

Per-file sudoers configuration

Instead of editing the main sudoers file, create a file in /etc/sudoers.d/:

echo "alice ALL=(ALL:ALL) NOPASSWD: /sbin/reboot" | sudo tee /etc/sudoers.d/alice
sudo chmod 440 /etc/sudoers.d/alice

File Permissions Deep Dive

Reading Permission Strings

-rwxr-xr-- 1 alice developers 4096 Jun 20 10:30 script.sh
│╰─┬─╯╰─┬─╯╰─┬─╯ │  │      │         │     │         │
│  │     │    │   │  │      │         │     │         └─ filename
│  │     │    │   │  │      │         │     └─ modified date
│  │     │    │   │  │      │         └─ file size
│  │     │    │   │  │      └─ group owner
│  │     │    │   │  └─ user owner
│  │     │    │   └─ hard link count
│  │     │    └─ Others: r-- (read only)
│  │     └─ Group: r-x (read + execute)
│  └─ Owner: rwx (read + write + execute)
└─ Type: - (regular file), d (directory), l (symlink)

Setting Permissions

# Numeric method
chmod 755 script.sh    # rwxr-xr-x
chmod 644 config.txt   # rw-r--r--
chmod 600 secret.key   # rw-------
chmod 700 private_dir  # rwx------

# Symbolic method
chmod u+x script.sh       # Add execute for owner
chmod g+w shared_file     # Add write for group
chmod o-r private_file    # Remove read for others
chmod a+r public_file     # Add read for all
chmod ug+rw,o-rwx file    # Owner+group: rw, others: none

Special Permissions

Permission Numeric Symbol On Files On Directories
Setuid 4xxx s in owner execute Runs as file owner
Setgid 2xxx s in group execute Runs as file group New files inherit group
Sticky 1xxx t in others execute Only owner can delete files
1
2
3
4
5
6
7
8
# Set setgid on directory (new files inherit group)
chmod 2775 /opt/shared

# Set sticky bit (prevent others from deleting your files)
chmod 1777 /tmp  # This is how /tmp works

# Find files with setuid set (security audit)
find / -perm -4000 -type f 2>/dev/null

Default Permissions (umask)

The umask determines default permissions for new files:

# Check current umask
umask
# Common values:
# 022 → files: 644, dirs: 755 (default)
# 027 → files: 640, dirs: 750 (more restrictive)
# 077 → files: 600, dirs: 700 (very restrictive)

# Set umask for current session
umask 027

# Make permanent: add to ~/.bashrc
echo "umask 027" >> ~/.bashrc

SSH Key Management

SSH keys are more secure than passwords. Here's the complete setup:

Generating Keys

On your local machine (not the Pi):

1
2
3
4
5
# Generate a modern ed25519 key (recommended)
ssh-keygen -t ed25519 -C "alice@laptop"

# Or RSA 4096-bit (wider compatibility)
ssh-keygen -t rsa -b 4096 -C "alice@laptop"

Deploying Keys

1
2
3
4
5
6
# Method 1: ssh-copy-id (easiest)
ssh-copy-id -i ~/.ssh/id_ed25519.pub alice@raspberrypi.local

# Method 2: Manual
cat ~/.ssh/id_ed25519.pub | ssh alice@raspberrypi.local \
  'mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys'

Securing SSH

After deploying keys, disable password authentication:

# On the Pi:
sudo nano /etc/ssh/sshd_config
# Disable password authentication
PasswordAuthentication no

# Disable root login
PermitRootLogin no

# Allow only specific users
AllowUsers alice bob

# Use only Protocol 2
Protocol 2
sudo systemctl restart ssh

Managing Multiple Keys

# On your local machine, create ~/.ssh/config
nano ~/.ssh/config
Host pi-home
    HostName 192.168.1.100
    User alice
    IdentityFile ~/.ssh/id_ed25519

Host pi-office
    HostName 10.0.0.50
    User admin
    IdentityFile ~/.ssh/id_rsa_office
    Port 2222

Now connect with just: ssh pi-home

Security Best Practices

1. Don't Use the Default pi User

On newer Raspberry Pi OS versions, you create a custom user during setup. On older versions:

# Create a new user
sudo adduser myadmin
sudo usermod -aG sudo myadmin

# Test the new user can sudo
su - myadmin
sudo whoami  # Should output: root

# Disable the pi account
sudo usermod -L pi

2. Set Password Policies

1
2
3
4
5
# Install password quality checking
sudo apt install libpam-pwquality

# Configure password requirements
sudo nano /etc/security/pwquality.conf
1
2
3
4
5
minlen = 10        # Minimum 10 characters
ucredit = -1       # At least 1 uppercase
lcredit = -1       # At least 1 lowercase
dcredit = -1       # At least 1 digit
ocredit = -1       # At least 1 special character

3. Set Login Attempt Limits

1
2
3
4
5
6
# Install fail2ban to block brute-force attempts
sudo apt install fail2ban

# Configure (copy default config)
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Key settings:

1
2
3
4
5
6
7
[sshd]
enabled = true
port = ssh
filter = sshd
maxretry = 3
bantime = 3600    # Ban for 1 hour
findtime = 600    # Within 10 minutes
1
2
3
4
5
sudo systemctl enable fail2ban
sudo systemctl restart fail2ban

# Check banned IPs
sudo fail2ban-client status sshd

4. Audit User Activity

# Check login history
last -10

# Check failed login attempts
sudo lastb -10

# Check who's currently logged in
w

# Check sudo usage
sudo journalctl _COMM=sudo --since today

5. Regular Permission Audits

# Find world-writable files (potential security risk)
find / -type f -perm -002 -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null

# Find files with no owner (orphaned files)
find / -nouser -o -nogroup 2>/dev/null

# Find setuid/setgid files (potential privilege escalation)
find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null

# Check sudoers configuration
sudo visudo -c

Quick Reference

Common Permission Patterns

Permission Numeric Use Case
rwxr-xr-x 755 Scripts, programs, directories
rw-r--r-- 644 Config files, documents
rw------- 600 SSH keys, passwords, secrets
rwx------ 700 Private directories, .ssh/
rwxrwxr-x 775 Shared group directories
rwxrwxrwt 1777 /tmp style directories

Essential Commands Cheat Sheet

# User management
sudo adduser username        # Create user
sudo deluser username        # Delete user
sudo passwd username         # Change password
sudo usermod -aG group user  # Add to group

# Permission management
chmod 755 file               # Set permissions
chown user:group file        # Change ownership
chown -R user:group dir/     # Recursive ownership

# Information
id username                  # User info
groups username              # Group membership
getent group groupname       # Group members
last -10                     # Login history