CIQ

How to Give Rocky Linux Users Admin Rights

How to Give Rocky Linux Users Admin Rights
August 25, 2023

Like every Linux distribution on the market, Rocky Linux is a multi-user operating system. That not only means you can have numerous users on the system, but they can log in at the same time. That doesn't mean they can all simultaneously log into the desktop environment but rather the console (such as via SSH). 

When you create a new user on Rocky Linux, that user is considered a standard user, without admin privileges. That means the new user cannot run admin-level commands or use sudo. Because of that, new users cannot run commands like sudo dnf update, control the firewall, or manage SELinux. 

This is by design, as you do not want to give every new Rocky Linux user admin privileges, which could cause chaos or (worse) lead to a bad actor gaining access to your system and stealing data or taking over your network for nefarious purposes.

With all users created without admin privileges, your Rocky Linux instance is more secure. However, that doesn't mean you have to leave all of those users without the ability to use sudo. In fact, you will most likely need to give certain users sudo privileges (such as other admins, junior admins, developers, and those on your DevOps or security teams). 

Fortunately, the process of giving a user admin privileges is quite easy. Let us show you how it's done.

How to create a new user

The first thing we'll do is create a new user. It might be wise for you to do this with a test account, instead of immediately jumping in and handing over admin privileges to current users.

To create a new user on Rocky Linux, you'll use the adduser command. For that, you'll have to be logged in as a user with admin privileges. Don't log in as root but as the user you created during the installation of Rocky Linux. Generally speaking, logging in as the root user is frowned upon as a security risk Let's create the user olivia with the command:

sudo adduser olivia

The above command will create the user olivia with the home directory of /home/olivia but will not ask you to set a password. For that, use the command:

sudo passwd olivia

You'll be prompted to type and verify a password for the user.

Test admin privileges for the new user

Just for fun, let's test the admin privileges for the new user. Change to the new user with the command:

su - olivia

Let's see if olivia can run the update command. Type the following and hit Enter on your keyboard:

sudo dnf update

You'll be prompted for olivia's password. Upon successful authentication, however, you'll see the following message (which is logged in /var/log/secure):

olivia is not in the sudoers file.  This incident will be reported.

You can also verify the default sudo rules and permissions with the command:

sudo -l

The output will look something like this:

Matching Defaults entries for olivia on HIVE:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User olivia may run the following commands on HIVE:
    (ALL : ALL) ALL

Giving the user admin privileges

It's now time to give olivia admin privileges. This is done with the usermod command, which is used to modify a user account. We'll use usermod with the a and G options, which are append and groups. The admin group for Rocky Linux is called wheel. With UNIX-like operating systems, the term wheel originated with BSD and was slang for big wheel (referring to a person with a lot of power).

The command to add olivia to the wheel group (which must be run by a user with admin privileges) is:

sudo usermod -aG wheel olivia

Change to the user olivia again with:

su - olivia

After you've successfully authenticated, attempt to run the update command again:

sudo dnf update

This time, the command should successfully complete.

Blocking access to root

As a final tip, you might want to block access to the root user, so all of those users with admin rights aren't able to change to that user account. To do this, open the necessary file with the command:

sudo nano /etc/passwd

At the top of the file, you'll see the following entry:

root:x:0:0:root:/root:/bin/bash

Change that line to:

root:x:0:0:root:/root:/sbin/nologin

Save and close the file.

Now, when a user attempts to change to root, they'll see the following error:

This account is currently not available.

Now, no user can log in or change to the root user. All admin commands must be done via sudo

Congratulations! You now know how to give users admin privileges in Rocky Linux and prevent anyone from accessing the root user for heightened security.

Related posts

2023 Holiday Gift Guide for Rocky Linux Users

2023 Holiday Gift Guide for Rocky Linux Users

Dec 19, 2023

Rocky Linux

Why Rocky Linux Is a Rock-Solid Choice in an Economic Downturn

Why Rocky Linux Is a Rock-Solid Choice in an Economic Downturn

Jan 18, 2023

Rocky Linux

6 Signs That It's Time to Move to Rocky Linux

6 Signs That It's Time to Move to Rocky Linux

Feb 23, 2023

Rocky Linux

123
39
>>>