How to Add Users on Rocky Linux with Sudo Privileges from the Command Line
Like all Linux distributions, Rocky Linux is a multi-user environment. Although most OSes are multi-user environments, not all of them allow multiple users to log in at the same time. With Rocky Linux, you could have hundreds of users, all of whom are logged in at once. Granted those users would be logged in via the terminal (such as through SSH), but it works and it works very well.
This is especially important when those users need to serve as administrators. When you have Rocky Linux deployed in a large company, you can't expect one admin to always keep that system up and running. You might have senior admins, junior admins, db admins, developers, and all sorts of different types of users who not only need access to that server but need admin privileges.
Does that mean you need to hand out the root user password to those users?
No. No. No.
In fact, you should make sure you've disabled Root SSH login. To do that, log into your Rocky Linux server as a user with sudo privileges and open the SSH daemon configuration file with:
sudo nano /etc/ssh/sshd_config
In that file, add the following in the Authentication section:
PermitRootLogin no
Restart SSH with:
sudo systemctl restart sshd
Attempt to log in to the server as root with:
ssh root@SERVER
Where SERVER is either the IP address or domain of the server. You will see Permission denied every time you attempt to authenticate with the root password.
Now that you've taken care of that, it's time to add specific users to the admin group, so they have sudo privileges.
A word of caution
This is crucial. You should only give sudo permissions to those users whom you can trust. If you add just any user, you could open yourself up to a world of problems. To that end, make sure to vet your admins so that you are one hundred percent certain they can be trusted with admin privileges on your servers.
You've been warned.
What you'll need
The only two things you'll need for this are a running instance of Rocky Linux and a user with sudo privileges. You most likely created this user during the installation of the OS.
Adding users to the admin group
To do this, we use the usermod command and add users to the wheel group. If you've ever worked with Ubuntu, this is similar to adding them to the sudo group.
Let's say you have the user camille on your system and they need access to sudo. To do that, the command would be:
sudo usermod -aG wheel camille
The a option informs usermod we're going to append the user to a supplementary group and G instructs usermod what the group will be.
If camille is currently logged in, they will have to log out and log back in for the changes to take effect. They can then issue commands that require admin privileges using sudo.
But wait…there's a loophole
What if you have a user who's not a part of the wheel group and they, for whatever reason, know the root password for the system? All they have to do is issue the command su and type the root password and they have all the admin privileges they need.
On top of that, anyone with the root password could log into the server as the root user, which isn't something you generally want. There is a way around it. Essentially, what you do is change the root user's shell, which makes it impossible for anyone to log in as the root user. Understand that there might be situations where you wouldn't want to do this but as long as you have a user with sudo privileges, you can always undo it should the need arise.
To disable root login, run the following command:
usermod root --shell /bin/nologin
Now, when someone attempts to su to root, they'll receive the following error:
su: failed to execute /bin/nologin: No such file or directory
And there you have it. You've not only added users to the admin group, but you've locked down root login. Just remember to use both of these ideas with caution. Don't hand out sudo privileges to just anyone and don't lock out the root user if it's required.
