In Linux system administration, the Principle of Least Privilege (PoLP) is one of the core principles of secure operations. Directly using the <span>root</span> user for operations carries high risks; it is recommended to create an administrator user with <span>sudo</span> privileges (such as <span>admin</span>) to reduce the impact of accidental operations and security threats.
This article takes Rocky Linux 9.5 as an example to detail how to:
1) Create an <span>admin</span> user
2) Grant <span>sudo</span> privileges (via the <span>wheel</span> group)
3) Optimize <span>sudo</span> configuration (such as passwordless execution, command restrictions)
4) Verification and security hardening recommendations
5) Comprehensive practical guide for sudo privilege allocation
1. Create an <span>admin</span> user
Rocky Linux (RHEL/CentOS family) uses the <span>wheel</span> group to manage <span>sudo</span> privileges by default, unlike Debian/Ubuntu’s <span>sudo</span> group.
1) Create a user using <span>useradd</span>:
sudo useradd -m -s /bin/bash admin # -m creates home directory, -s specifies default shell
sudo passwd admin # Set password
2) Or use <span>adduser</span> (interactive):
sudo adduser admin # Follow prompts to set password and other information
2. Grant sudo privileges to the <span>admin</span> user
1) Add to the <span>wheel</span> group
sudo usermod -aG wheel admin # -aG means append to group without overwriting existing groups
Verify success:
groups admin # Output should include "wheel"
2) Ensure the <span>wheel</span> group is in the sudoers file
Edit the <span>/etc/sudoers</span> file (must use <span>visudo</span> to prevent syntax errors):
sudo visudo
Find and uncomment (remove the leading <span>#</span>, this option is enabled by default in Rocky Linux 9.5, no configuration needed) the following line:
%wheel ALL=(ALL) ALL # Allow members of the wheel group to execute all commands (password required)
For passwordless sudo (use with caution):
%wheel ALL=(ALL) NOPASSWD: ALL
3. Verify sudo privileges
Switch to the <span>admin</span> user and test:
su - admin
sudo whoami # Should return "root"
sudo systemctl status sshd # Execute privileged command
4. Advanced sudo configuration (comprehensive practice)
In actual operations, sudo privileges should be finely allocated based on roles and needs. Below are configuration examples for typical scenarios:
1) Basic privilege allocation
Allow execution of specific commands (password required)
admin ALL=(ALL) /usr/bin/apt update, /usr/bin/apt upgrade
Allow executing commands as a specific user
admin ALL=(postgres) /usr/bin/pg_restore, /usr/bin/psql
2) System management privileges
Service management:
admin ALL=(ALL) NOPASSWD: /bin/systemctl start *, /bin/systemctl stop *, /bin/systemctl restart *
Package management:
admin ALL=(ALL) /usr/bin/yum install *, /usr/bin/yum remove *
3) File and directory permissions
Allow editing specific configuration files:
admin ALL=(ALL) NOPASSWD: /bin/vi /etc/nginx/nginx.conf
Allow backup operations:
admin ALL=(ALL) /bin/tar -czf /backups/*.tar.gz /var/www/html
4) Network management privileges
Firewall management:
admin ALL=(ALL) /usr/bin/firewall-cmd --add-port=*/tcp, /usr/bin/firewall-cmd --reload
Network debugging:
admin ALL=(ALL) /usr/bin/tcpdump, /usr/bin/ping
5) User and group management
Allow adding/removing users:
admin ALL=(ALL) /usr/sbin/useradd, /usr/sbin/userdel
Allow modifying user passwords:
admin ALL=(ALL) NOPASSWD: /usr/bin/passwd
6) Logging and monitoring
View system logs:
admin ALL=(ALL) /usr/bin/journalctl -u nginx, /usr/bin/tail -n 100 /var/log/messages
7) Storage management
Disk management:
admin ALL=(ALL) /usr/bin/fdisk -l, /usr/sbin/parted
Mount/unmount file systems:
admin ALL=(ALL) /usr/bin/mount /dev/sdb1 /mnt/backup, /usr/bin/umount /mnt/backup
8) Security-related permissions
SELinux management:
admin ALL=(ALL) /usr/sbin/semanage, /usr/sbin/setsebool
Audit logs:
admin ALL=(ALL) /usr/sbin/ausearch, /usr/sbin/aureport
5. Security hardening recommendations
1) Disable root SSH login
Edit the <span>/etc/ssh/sshd_config</span>:
PermitRootLogin no
Restart the SSH service:
sudo systemctl restart sshd
2) Restrict <span>wheel</span> group members
Regularly check privileged users:
grep '^wheel' /etc/group
3) Configure SSH key login
Replace password login to enhance security (previous articles have been published on this topic).
6. Troubleshooting
1) User unable to use sudo
- Confirm if the user is in the
<span>wheel</span>group:<span>id admin</span> - Check
<span>/etc/sudoers</span>syntax:<span>sudo visudo -c</span>
2) Home directory not created
sudo mkdir /home/admin
sudo chown admin:admin /home/admin
7. Summary
Through this article, we have completed:
✅ Created an <span>admin</span> user
✅ Granted <span>wheel</span> group sudo privileges
✅ Optimized <span>sudo</span> configuration (logging, command restrictions)
✅ Implemented key security measures
✅ Mastered comprehensive allocation methods for sudo privileges
By following this approach or method, you can safely use the admin user to manage the system on Rocky Linux 9.5, balancing efficiency and security.
