The latest version of Raspberry Pi OS now requires a password for sudo by default.
The change affects only new installations - existing setups are untouched. Using the sudo prefix to run a command with administrator privileges will now prompt for a password; enter it wrong, and the command is refused.
Previously, any user could run sudo commands as an administrator without authentication. It's convenient, and has always been the default yet it is an obvious security risk as anyone with access to the machine could cause serious harm.
Once an admin enters the password correctly, the system won't prompt for it again for the next five minutes, so multiple sudo commands in a row stay frictionless.
Users who prefer the old behavior can revert the system to its original passwordless state in the Control Centre or via a raspi-config setting.
The change will undoubtedly inconvenience some users - certain scripts may break - however the reasoning is sound. Passwordless sudo by default was a clear vulnerability, even if Raspberry Pi acknowledged that beefing up security is "a tricky balance."
"Anything that makes the operating system more secure will invariably inconvenience legitimate users to some extent."
Reaction from users has been mixed: One called it a "lame change" and said "it ruined my day," while others accepted the need to improve the default security posture. It's worth reiterating that the change is easy to reverse, and leaves existing installations alone.
For a device with free-wheeling hobbyist roots, requiring a password feels like a small but meaningful step toward the mainstream, which is understandable, even if not universally welcome. ®
Source: The register