• We had to restore from a backup today after a failed software update. Backup was from 0000 EDT and restored it at 0800 EDT so we lost about 8hrs. Today is 07/20/2024. More info here.

[SOLVED] Cannot Enable "Lock root account" During RedHat-type Installations? (e.g., Alma, Rocky, Oracle)

sphen

Well-Known Member
Joined
Dec 12, 2022
Messages
871
Reaction score
757
Credits
10,429
I recently downloaded and installed a few RedHat-type distros over the past two weeks: AlmaLinux, Rocky Linux, and Oracle Linux. The installers look similar if not identical.

The "Begin Installation" button stays grayed out (disabled) unless you uncheck the "Lock root account" setting to disable it. In other words, the root account must be given a password and enabled to install those RedHat-type Linux distros.

I prefer to leave the root account disabled and run "sudo" when needed. Yes, I can fix the issue after installation by creating an admin account with sudo privileges and then disabling root, but that is not the point.

I think that this may be a common installer "bug", but wonder whether I am missing something obvious? Have others successfully run one of those RedHat-type installations with the "Lock root account" setting checked (enabled)?
 


I recently downloaded and installed a few RedHat-type distros over the past two weeks: AlmaLinux, Rocky Linux, and Oracle Linux.
In other words, the root account must be given a password and enabled to install those RedHat-type Linux distros.
I think what is important is not that these are all Red Hat type distros, but rather that they are all server type distros. Fedora allows you to install with a disabled root account, if you wish.

I'm not a server guru, but a little Googling seems to indicate that one very important feature of having a root account on a server is that root can control the sudoers and limit their power. So, for example, a database manager may have some sudo powers needed for their job, but they might be denied the ability to create new users, or to install software, or to reboot the server... reserving those powers for root only (or having those powers delegated to another sub-administrator). This may be described as "The principle of least privilege."

On a typical user desktop system, root and sudo are practically the same, but the requirements of a server may be different. I don't think this is a bug.
 
Normally on servers you leave the root account enable that way you have a backup way of getting in if the other ways of connecting to the server get locked out. It's possible to leave the root account disabled during install but you have to make your user administrator.
1. When you get to the "Installation Summary".
2. Go to "User Creation"
3. Select "Make this user administrator"
4. Click "Done" twice.
5. In the "Installation Summary" the incomplete warning should now be gone.
 
I think what is important is not that these are all Red Hat type distros, but rather that they are all server type distros. Fedora allows you to install with a disabled root account, if you wish.

I'm not a server guru, but a little Googling seems to indicate that one very important feature of having a root account on a server is that root can control the sudoers and limit their power. So, for example, a database manager may have some sudo powers needed for their job, but they might be denied the ability to create new users, or to install software, or to reboot the server... reserving those powers for root only (or having those powers delegated to another sub-administrator). This may be described as "The principle of least privilege."

On a typical user desktop system, root and sudo are practically the same, but the requirements of a server may be different. I don't think this is a bug.
These are all great points and I was aware of them.

I have been running servers with root disabled for a few years without issues. Depending on the system, I sometimes create a backup administrator account for emergencies. (It starts with "z" so that it appears at the end of lists.) Lately, I have been running servers on Debian with root disabled at install time. In the past, I ran CentOS and had to leave root enabled because of their OpenVZ virtualization.

I have been exposed to the concept of least privilege once or twice in the past. ;-)
 
Normally on servers you leave the root account enable that way you have a backup way of getting in if the other ways of connecting to the server get locked out. It's possible to leave the root account disabled during install but you have to make your user administrator.
1. When you get to the "Installation Summary".
2. Go to "User Creation"
3. Select "Make this user administrator"
4. Click "Done" twice.
5. In the "Installation Summary" the incomplete warning should now be gone.
This was very helpful. When I read it, I thought to myself, "Self, you must have missed a button somewhere that lets you create an admin account and leaves root disabled." I was wrong - the button was hidden and effectively invisible for all the "RedHat-type" installations I performed (AlmaLinux, Rocky Linux, and Oracle Linux). The installers all look the same to me.

I downloaded AlmaLinux again and began to install it. When I got to the Installation Summary page, the "User Creation" button was not there. It was totally and completely hidden in the installer. The scrollbar on the side stops about 2/3 of the way down the side, which was a clue - I have seen the problem where an operating system installer expected a higher resolution display, and my virtual machine software (VMware Fusion on Mac) offered what appears to be 640x480 (?).

I figured it out how to make it work. You can activate "User Creation" button so that its dialog box appears. Here is my solution:

PROCEDURE TO INSTALL REDHAT-TYPE DISTROS WITH ROOT DISABLED, WHERE "USER CREATION" IS NOT VISIBLE
(Tested in VMware Fusion on Mac):
  1. Begin with a normal RedHat-type installation from the .iso file.
  2. Highlight and enter values for the settings in the INSTALLATION SUMMARY page.
    • You must select Installation Destination and confirm the settings to disable the "Automatic partitioning selected" warning.
    • Ignore the "Root Password" and "User Creation" settings for now.
    • When finished, move to the next step.
  3. Use the cursor arrow keys on your keyboard to highlight the "Root Password" button.
    • You want to highlight it, but do not open it. (If you accidentally open it, leave "Lock root account" checked (enabled) and click the Done button. The INSTALLATION SUMMARY icons should reappear.
  4. Once the "Root Password" button is selected (highlighted) in the INSTALLATION SUMMARY window, press the Down Arrow key on your keyboard.
    • The highlighting on "Root Password" will turn off.
    • The hidden, invisible "User Creation" button is "highlighted", but you can't see it.
  5. Press the Return or Enter key to activate the User Creation dialog box.
    • The title at the top says, "CREATE USER".
  6. Create your user account:
    • Give it a Full name, User name, and Password.
    • -> Enable (check) the "Make this user administrator" setting.
    • Enable (check) "Require a password to use this account" setting, too.
  7. Click the Done button in the top left corner of the CREATE USER dialog box.
    • Note that "Root account is disabled" warning has disappeared.
    • The Begin Installation button should now be enabled.
  8. Click the Begin Installation button.

AlmaLinux Installation Images (below):
  1. Start of Normal Installation
    • Note the warnings on the "Installation Destination" and "Root Password" buttons.
  2. Same as #1 Above, but Scrolled Down Fully
    • Note that the "User Creation" button is still missing. It is there, but hidden below "Root Password". The scroll bar stops prematurely and won't let you see it. I never actually saw it.
  3. The "Root Password" Button Is Highlighted
  4. The "Create User" Dialog Box
  5. Main "INSTALLATION SUMMARY" Page after Creating an Admin Account
    • The "Root account is disabled" warning message has changed from red to gray.
  6. After Confirming the "Installation Destination" Settings
    • The "Automatic partitioning selected" warning message has changed from red to gray.
    • The "Begin Installation" button is enabled.
    • The installer is ready to install the RedHat-type Linux for you.
1 AlmaLinux Installation.jpeg 2 AlmaLinux Installation.jpeg 3 AlmaLinux Installation.jpeg 4 AlmaLinux Installation.jpeg 5 AlmaLinux Installation.jpeg 6 AlmaLinux Installation.jpeg
 
This was very helpful. When I read it, I thought to myself, "Self, you must have missed a button somewhere that lets you create an admin account and leaves root disabled." I was wrong - the button was hidden and effectively invisible for all the "RedHat-type" installations I performed (AlmaLinux, Rocky Linux, and Oracle Linux). The installers all look the same to me.
  • -> Enable (check) the "Make this user administrator" setting.
Yes it's just a checkbox, nothing more.
 
Yes it's just a checkbox, nothing more.
True, but you need a way to see the button that gives you access to it.

There were other solutions that would have worked. I could have modified the default virtual machine display to fit, for example.

Another solution that I actually tested is the text-based AlmaLinux installer that you can find through "Troubleshooting" on the startup menu. It worked fine, including the creation of an admin account while leaving the root account disabled.
 

Members online


Top