librpip

Raspbian

Prerequisite Configuration

Wheezy GPIO Permissions

Raspbian Wheezy is missing a udev rule that grants members of the gpio group read/write access to the  device node /dev/gpiomem. Librpip include a file to fix this. From the source directory copy the ./distro/raspbian/99-wheezy-librpip.rules to /etc/udev/rules.d

After a reboot the device node should look like this:

$ ls -l /dev/gpiomem
crw-rw---T 1 root gpio 244, 0 Jan  1  1970 /dev/gpiomem

PWM Access Group

Unlike the other peripherals, Raspbian does not have a group for PWM access. This is easily fixed by add a system group that will be used to manage access to the PWM’s, and then add yourself and any other accounts to it

$ sudo groupadd pwm 
$ sudo usermod -a -G pwm <acccount>

 

Additional (Optional) Configuration

Here are some additional configuration steps that improve the security of Raspbian.

Firstly, bring the rPi up to date

sudo apt-get update
sudo apt-get upgrade

Secondly run raspi-config and configure the internationalisation properly. Pick the UTF8 variant of the locale.

Create a User for Yourself

The default pi/raspberry user is far to well known, so first step is to create a user and give it the necessary rights.

adduser <username>

Grant the User Rights

sudo usermod -a -G sudo,adm <username>
sudo usermod -a -G audio,cdrom,video,input <username>
sudo usermod -a -G spi,i2c,gpio,dialout <username>

If you want to use PWM‘s now is a good time to create the group and add yourself to it.

sudo groupadd pwm 
sudo usermod -a -G pwm <acccount>

Test User Setup Correctly

Logout from the rPi and log in as yourself

Test you can sudo, this should prompt you for a password and then return root

sudo whoami

Disable PI User

Open /etc/shadow and star out pi’s password to make the account inoperable. It should resemble this (actual numbers following the encrypted password may vary, leave them alone)

pi:*:16760:0:99999:7:::

Disable PI’s Passwordless sudo to Root

Open /etc/sudoers and Comment out pi’s passwordless setup so that it looks like this

#pi ALL=(ALL) NOPASSWD: ALL

Disable Ctrl-Alt-Del = Reboot

As documented here: http://raspberrycompote.blogspot.com.au/2016/02/modifying-ctrlaltdel-behavior-in-debian.html

sudo rm /lib/systemd/system/ctrl-alt-del.target
sudo ln -s /dev/null /lib/systemd/system/ctrl-alt-del.target
sudo systemctl daemon-reload

Disable Automatic login

Run raspi-config and select option 3 (Enable Boot to desktop) then select ‘Console Text console, requiring login (default)’.

Interestingly text console is default for Wheezy but graphical desktop (with automatic login) is default for Jessie.

Enable Package Update ‘Nagging’

By default the rPi is pretty quiet about updates. You can run the following command at any time to get a list of updates available.

sudo apt-get upgrade

However if you are familiar with mail systems you can install and configure ‘apticron’ to check automatically and send out an email with the list. This bit is not for the faint hearted. A badly configured mail server can cause all sorts of havoc including having your internet connection suspended by your ISP. So if in doubt just skip this bit.

Firstly install apticron and all required dependancies:

sudo apt-get install apticron

Next you need to reconfigure EXIM so that it can send mail externally. If you don’t know what the questions mean then stop right now.

dpkg-reconfigure exim4-config

Next edit the /etc/apticron/apticron.conf and change the email to one you use

# set EMAIL to a space separated list of addresses which will be notified of
# impending updates
#
EMAIL="someone@change.this.address"

Finally update /etc/cron.d/apticron with a sensible nag interval. Man crontab for details. I run mine once a day.

14 3 * * * root if test -x /usr/sbin/apticron; then /usr/sbin/apticron --cron; else true; fi