Raspberry Pi OS ends open-door policy for sudo
- Reference: 1776252948
- News link: https://www.theregister.co.uk/2026/04/15/raspberry_pi_os_sudo/
- Source link:
The [1]change affects only new installations - existing setups are untouched. Using the sudo prefix to run a command with administrator privileges will now prompt for a password; enter it wrong, and the command is refused.
Previously, any user could run sudo commands as an administrator without authentication. It's convenient, and has always been the default yet it is an obvious security risk as anyone with access to the machine could cause serious harm.
[2]
Once an admin enters the password correctly, the system won't prompt for it again for the next five minutes, so multiple sudo commands in a row stay frictionless.
[3]
[4]
Users who prefer the old behavior can revert the system to its original passwordless state in the Control Centre or via a raspi-config setting.
The change will undoubtedly inconvenience some users - certain scripts may break - however the reasoning is sound. Passwordless sudo by default was a clear vulnerability, even if Raspberry Pi acknowledged that beefing up security is "a tricky balance."
[5]We know what day it is but these Raspberry Pi price hikes are no joke
[6]Raspberry Pi leans into semiconductors as sales climb – especially in US and China
[7]The idea of using a Raspberry Pi to run OpenClaw makes no sense
[8]Summoning the spirit of the BBC Micro with a Pi 500+ and a can of spray paint
"Anything that makes the operating system more secure will invariably inconvenience legitimate users to some extent."
Reaction from users has been mixed: One called it a "lame change" and said "it ruined my day," while others accepted the need to improve the default security posture. It's worth reiterating that the change is easy to reverse, and leaves existing installations alone.
[9]
For a device with free-wheeling hobbyist roots, requiring a password feels like a small but meaningful step toward the mainstream, which is understandable, even if not universally welcome. ®
Get our [10]Tech Resources
[1] https://www.raspberrypi.com/news/a-security-update-for-raspberry-pi-os/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ad-2InNrPM4Jm3DymA3_-AAAAgU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad-2InNrPM4Jm3DymA3_-AAAAgU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad-2InNrPM4Jm3DymA3_-AAAAgU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2026/04/01/raspberry_pi_price_hikes/
[6] https://www.theregister.com/2026/03/31/raspberry_pi_fy_2025/
[7] https://www.theregister.com/2026/02/20/raspberry_pi_meme_stock_disorder/
[8] https://www.theregister.com/2026/02/06/summoning_the_spirit_of_the/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad-2InNrPM4Jm3DymA3_-AAAAgU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://whitepapers.theregister.com/
Re: The obviously correct decision
Depends on what you're doing with the system and what user groups you have – I think it's a bit OTT for our Pikaraoke machine…
Re: The obviously correct decision
Of course. If you need to relax or modify security then it is your choice.
However, insecure by default is bad policy.
Re: The obviously correct decision
Even better would be to encourage hobbyists to change the default root password and use su to do admin tasks so that there are two different passwords required to get root privilege. At best sudo is a triumph of convenience over security.
Re: The obviously correct decision
At best sudo is a triumph of convenience over security.
Isn't it a bit more complex than that. The real issue is a god like 'root' user that can do anything.
The advantage with sudo is you don't need to disseminate the root password and you can have multiple people allowed to be root without them having to know the root password, or each others either.
(Now sure... you're godlike root powers mean you can change it... but that's an issue with godlike root again...)
Re: The obviously correct decision
"The real issue is a god like 'root' user that can do anything."
In the end you always need that, but sudo can be configured to offer less to a given user. Whether or not you do that is, as with requiring a password or not, a security/convenience trade-off.
Re: The obviously correct decision
Not to mention you can set up /etc/sudoers to only allow a user or group to run specific commands as root or another user.
This is what sudo was really meant to provide: granular privilege escalation vs. sharing the root password or SUID permission.
Superuser do
Scooby scooby doo
Scooby dooby do
sudo where --are -you
We need to run as root now.
I had always originally assumed that "sudo" was intentionally a pun on "pseudo" in the tradition of many old-time evolving program names (elm, pine, alpine, etc), as in "to pretend to become a different user", and have continued to stick with that interpretation and pronunciation. Other interpretations are of course acceptable: TMTOWTDI!
Just add it to Raspberru Pi Imager
The imager software that burns the OS onto a microsd asks for the hostname, username & password, timezone, wifi, ssh on/off etc. already has a "enable passwordless sudo" that warns the user if they disable the option but otherwise lets them do what they like.
I have 3 headless Pi units doing things around the house. I disabled the policy of letting the non-root user execute all commands as root, and enabled a couple of convenience ones. Although if someone is on my home network and logging in to them, privilege escalation is probably the least of my worries.
Might make Pi owners read the sudoers(5) man page.
Pretty easily to reinstate the original behaviour or have passwordless sudo for a restricted set of commands.
Perhaps also not obvious that sudo can run commands as another non-root user.
You can also ssh-agent forwarding to auth with sudo which is very convenient if not terribly secure.
Certificates (SSH ones) are apparently "the way" to do this stuff… with a dash of 2FA. Unfortunately there were never enough hours in the day…
Anything is better than the suid root wrappers that just exec a shell that I have encountered over the years.
Michael W Lucas' "Sudo Mastery" at 200 pages probably covers more of the subject than most need or want.
Obligatory
[1]XKCD
[1] https://xkcd.com/149/
Re: Obligatory
Instead of "OK" the default response is now "What is your password?"
The obviously correct decision
The first thing I do when I set up a new Pi is to require a password for sudo.
From the point of view of teaching hobbyists good habits, this should always have been the default behaviour.