---
categories: ['OpenWRT','System']
date: 2020-02-24T19:41:07+01:00
description: "Howto create a non-privileged user, to use sudo temporarily and correctly!"
draft: false
tags: ["OpenWRT","sudo","sysadmin"]
title: "OpenWRT: sudo"
translationKey: "openwrt-sudo"
---

## Description

By default, **OpenWRT** has one only user: the **root** admin. 

We will create a new user, without privilege, only the one to administrate
correctly the system with the tool `sudo`.

## Installation

As **root**, execute all those commands:

`# opkg update` <br>
`# opkg install shadow-useradd sudo`

{{< note tip >}}
It's possible to install the `shadow-usermod` package; this intents to set
the user account.
{{< /note >}}

## Configuration

### user configuration

Now, config the user account:

* `# useradd ego`: `ego` is the account name - *it's up to your convenience…*
* `# passwd ego`: define the password
* `# mkdir -p /home/ego/.ssh`: make the main home, and the ssh folder.
* `# touch /home/ego/.ssh/authorized_keys`: create empty file *(to copy your
	SSH public keys)*
* `# chown -R ego:ego /home/ego`: give the user rights on his home.
* `# chmod 0700 /home/ego`: auth only this user. 


### sudo configuration

I would only talk about the sudo most secure method of configuration: <br>
This method allows you to simply use the administrator's password without 
having to login with the administrator account.
The command `sudo` must be preceded by any other necessary command.

We edit the `/etc/sudoers` with the `visudo` command: 

`# visudo`

Place at the bottom of the file, and uncomment the both lignes, to remove 
the `#` symbol:

`# Defaults targetpw  # Ask for the password of the target user` <br>
`# ALL ALL=(ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'`

{{< note tip >}}
To save the file, after the modification, type: `:wq!`
{{</note>}}

After saving and quit, your user can use any administration commands.

### SSH configuration

Now, it's the good time to add your ssh auth key into the `/home/ego/.ssh/authorized_keys` file.

{{< note warning >}}Be sure to copy your public key, only with the `.pub` extension!{{</note>}}

### sysupgrade configuration

Think to edit the file `/etc/sysupgrade.conf` to add:

* your home folder, 
* and `/etc/sudoers.d` *(only if you add config into this folder)*

and check with the command `sysupgrade -l`.

So, for the {{< inside "sys:openwrt:sysupgrade" "future upgrade" >}}, yours 
personals datas will be saved.

---

## Documentation

* https://openwrt.org/docs/guide-user/security/secure.access#create_a_non-privileged_user_in_openwrt

----