BLOG POSTS

MangoHost Blog / How to Create a New Sudo-Enabled User on Rocky Linux 8 – Quickstart

How to Create a New Sudo-Enabled User on Rocky Linux 8 – Quickstart

Creating a new sudo-enabled user on Rocky Linux 8 is a fundamental skill for server management that significantly enhances system security by reducing the need to operate as root directly. This quickstart guide will walk you through the complete process of adding new users with appropriate sudo privileges, covering essential commands, configuration methods, and security best practices that every system administrator should master to maintain proper access control on their Rocky Linux servers.

How Sudo User Creation Works in Rocky Linux 8

Rocky Linux 8 utilizes the traditional Linux user management system combined with sudo functionality for privilege escalation. When you create a sudo-enabled user, you’re essentially configuring two separate components: the user account itself through the standard user management tools, and the sudo privileges through either the sudoers file or by adding the user to the wheel group.

The wheel group is a special system group in Red Hat-based distributions that grants sudo access to its members. By default, Rocky Linux 8 comes with the wheel group preconfigured in the sudoers file, making it the most straightforward method for granting administrative privileges.

Here’s how the privilege escalation chain works:

User executes a command with sudo prefix
System checks if user belongs to wheel group or has specific sudoers entry
If authorized, system prompts for user’s password (not root password)
Command executes with root privileges
Action is logged to /var/log/secure for audit purposes

Step-by-Step Implementation Guide

Let’s create a new sudo-enabled user from scratch. This process assumes you’re currently logged in as root or have existing sudo privileges.

Method 1: Using adduser Command with Wheel Group

First, create the new user account:

adduser username

Set a password for the new user:

passwd username

Add the user to the wheel group to grant sudo privileges:

usermod -aG wheel username

Verify the user has been added to the wheel group:

groups username

Method 2: Creating User with Home Directory and Shell Options

For more control over user creation, use these expanded options:

useradd -m -d /home/username -s /bin/bash username
passwd username
usermod -aG wheel username

The flags breakdown:

-m: Creates home directory
-d: Specifies home directory path
-s: Sets default shell
-aG: Appends user to additional group

Method 3: Direct Sudoers File Configuration

For granular control over sudo permissions, edit the sudoers file directly:

visudo

Add this line below the wheel group configuration:

username ALL=(ALL) ALL

For passwordless sudo access (use cautiously):

username ALL=(ALL) NOPASSWD: ALL

Testing and Verification

After creating the user, test the sudo functionality:

su - username
sudo whoami

The output should display “root” if sudo is working correctly. You can also test with a system command:

sudo systemctl status sshd

Check sudo access logs:

sudo tail -f /var/log/secure | grep sudo

Real-World Examples and Use Cases

Here are practical scenarios where sudo-enabled users prove essential:

Development Team Access

Create users for development team members who need occasional administrative access:

for user in alice bob charlie; do
    adduser $user
    echo "TempPass123!" | passwd --stdin $user
    usermod -aG wheel $user
    echo "Created user: $user"
done

Service Account with Limited Privileges

Create a service account that can only restart specific services:

adduser servicebot
passwd servicebot
visudo -f /etc/sudoers.d/servicebot

Add specific permissions to the new file:

servicebot ALL=(ALL) NOPASSWD: /bin/systemctl restart nginx, /bin/systemctl restart php-fpm

Automated Deployment User

For CI/CD pipelines, create a deployment user with specific permissions:

adduser deploy
usermod -aG wheel deploy
mkdir -p /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
chown deploy:deploy /home/deploy/.ssh

Comparison with Alternative Methods

Method	Security Level	Ease of Setup	Management Overhead	Best For
Wheel Group	High	Very Easy	Low	General administrative access
Direct Sudoers	Very High	Moderate	Medium	Granular permissions
Sudoers.d Files	Very High	Moderate	Low	Service accounts, automation
Root Access	Low	Easy	High Risk	Emergency situations only

Best Practices and Security Considerations

Follow these essential security practices when creating sudo-enabled users:

Always use strong passwords and consider implementing password policies
Regularly audit sudo access with sudo -l command
Use sudoers.d directory for custom configurations instead of editing main sudoers file
Enable sudo session logging for compliance requirements
Implement account lockout policies for failed authentication attempts
Consider using SSH key authentication instead of password-based login
Regularly review /var/log/secure for suspicious sudo activity

Password Policy Configuration

Strengthen password requirements by configuring PAM:

authconfig --passminlen=8 --passminclass=3 --passmaxrepeat=2 --enablereqlower --enablerequpper --enablereqdigit --update

Sudo Session Recording

Enable comprehensive sudo session logging:

echo "Defaults log_input, log_output" >> /etc/sudoers.d/logging
echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers.d/logging

Common Pitfalls and Troubleshooting

Here are frequent issues and their solutions:

User Not in Sudoers File Error

If you see “user is not in the sudoers file”, verify group membership:

id username
groups username

If the user isn’t in the wheel group, add them:

usermod -aG wheel username

Sudoers File Syntax Errors

Always use visudo to prevent syntax errors. If you’ve corrupted the sudoers file:

pkexec visudo

Or boot into single-user mode to fix the file directly.

Permission Denied Despite Correct Setup

Check if sudo is properly configured and the wheel group is enabled:

grep -E '^%wheel' /etc/sudoers

The line should be uncommented and look like:

%wheel ALL=(ALL) ALL

Advanced Configuration Options

For enterprise environments, consider these advanced configurations:

Time-Based Sudo Access

Restrict sudo access to business hours:

username ALL=(ALL) ALL, !Sh:0000-0800, !Sh:1800-2359

Command Aliases for Complex Permissions

Create command aliases for easier management:

Cmnd_Alias WEBSERVICES = /bin/systemctl start nginx, /bin/systemctl stop nginx, /bin/systemctl restart nginx
username ALL=(ALL) WEBSERVICES

Host-Based Restrictions

Limit sudo access to specific hosts in multi-server environments:

username webserver1,webserver2=(ALL) ALL

This comprehensive approach to creating sudo-enabled users on Rocky Linux 8 ensures both security and functionality. Whether you’re managing a single server or a complex infrastructure, these methods provide the flexibility needed for proper access control while maintaining system security standards.

For hosting these Rocky Linux 8 configurations, consider reliable infrastructure solutions like VPS hosting or dedicated servers that provide the performance and control needed for enterprise-grade user management implementations.

This article incorporates information and material from various online sources. We acknowledge and appreciate the work of all original authors, publishers, and websites. While every effort has been made to appropriately credit the source material, any unintentional oversight or omission does not constitute a copyright infringement. All trademarks, logos, and images mentioned are the property of their respective owners. If you believe that any content used in this article infringes upon your copyright, please contact us immediately for review and prompt action.

This article is intended for informational and educational purposes only and does not infringe on the rights of the copyright owners. If any copyrighted material has been used without proper credit or in violation of copyright laws, it is unintentional and we will rectify it promptly upon notification. Please note that the republishing, redistribution, or reproduction of part or all of the contents in any form is prohibited without express written permission from the author and website owner. For permissions or further inquiries, please contact us.