Raspberry Pi OS Makes a Shift Away From Passwordless sudo to Boost Security

Raspberry Pi has announced a sea-change to the way elevated privileges are handled in Raspberry Pi OS, its Debian-derived Linux distribution tailored to the eponymous single-board computer and compute-on-module range — and you're going to be typing your passwords a lot more.

"Today we are releasing version 6.2 of Raspberry Pi OS, the second update to the Trixie version we released last year," explains developer Simon Long of the shift. "This update is mostly a round-up of all the small changes and bug fixes we have made over the past few months, but there is one significant change that we’d like to flag up: passwordless sudo is now disabled by default."

In Raspberry Pi OS — and most Linux distributions — sudo is used to temporarily switch user accounts, typically in order to elevate a normal user account's privilege level to that of the root user in order to install new software or make other system-wide changes. Since its birth as the community-driven project Raspbian Raspberry Pi OS has opted for convenience over security by allowing a previously-authenticated user to switch to the root user account without re-entering their password, but as of Raspberry Pi OS 6.2 that changes.

"From this release onwards, passwordless sudo is disabled by default," Long explains. "If you use sudo for administrator-level access, you will be prompted to enter the current user's password. In the terminal, the password prompt will appear as soon as you issue a sudo command. If you enter the correct password, the command will proceed as normal; if you enter an incorrect password, the command will be refused. Certain actions in the desktop interface also require sudo access, including some operations in Control Center. In these cases, a [graphical] dialog box will pop up asking for the password."

Once re-authenticated, users will be able to continue to use sudo for five minutes before being required to enter their passwords again — though switching to an interactive terminal as root using sudo -i will, naturally, not time out, nor will long-running tasks kicked off using sudo individually. Those who prefer the older passwordless approach, meanwhile, can restore the previous behavior by toggling the somewhat confusingly-named "Admin Password" option in Control Center.

"Please note that this change will not affect updates to existing installations of Raspberry Pi OS," Long concludes. "The Admin Password switch will appear in Control Centre as shown above, but passwordless sudo will remain enabled unless you choose to disable it."

Raspberry Pi OS 6.2 is now available to download from the Raspberry Pi website.