One challenge of dealing with Internet of Things (IoT) devices is that you don't do a normal operating system installation on them as you would when setting up a normal server. Instead, you download an image that has the operating system pre-installed, and burn that image to a microSD card. The installed operating system is set up with a default user account, and many times that user is set up with full sudo privileges and isn't required to enter a sudo password. Let's take, for example, the Raspex Linux distribution for the Raspberry Pi. (Raspex is built from Ubuntu source code.) On the documentation page of the Raspex download site, we see that the default user is raspex, and the default password for that user is also raspex. We also see that the default password for the root user is root:

So, the default credentials are out there for all the world to see. Obviously, the first thing you want to do when setting up an IoT device is to set up your own user account, give it a good password, and give it sudo privileges. Then get rid of that default account, because leaving it in place, especially if you leave the default password, is just asking for trouble.

But let's dig deeper. Look in the /etc/password file on Raspex, and you'll see the default user there:

raspex:x:1000:1000:,,,:/home/raspex:/bin/bash

Then, look in the /etc/sudoers file, and you'll see this line, which allows the raspex user to do all sudo commands without having to enter a password:

raspex ALL=(ALL) NOPASSWD: ALL

Another thing to watch out for is that some Linux distributions for IoT devices have this rule in a separate file in the /etc/sudoers.d directory, instead of in the main sudoers file. Either way, you'll want to delete this rule, as well as the default user account, when you set up your IoT device. And of course, you'll also want to change the root user password, and then lock the root user account.

All righty, I think that that about does it for the sudo topic. Let's move on to the next topic.