Recent macOS doesn’t have a root user; only sudo and admin users.
Is Rocky Linux as well designed to be installed without a root user? So that would mean root disble on teh install page but an user with admin rights to be created.
I have never chosen the “disabled” option in installer. I presume that then one must create regular account. The regular account will be member of group wheel that can sudo.
There will always be account ‘root’. You merely control how one can become root.
@halloleo The answer to this question is both yes and no. As @jlehtone suggests, the root account will always be there, but the recommended way (like with macOS) is to create a regular user with administrative rights and turn off direct root logins. It is still possible to allow direct root logins, but from a security standpoint, it isn’t recommended.
Remote access to root should definitely be locked down, either disabled totally or just allowed via ssh keys with strong restrictions on the key (eg from= type stuff) to allow for automation.
Local access to root may be permitted from a text console, ideally with the password vaulted in an enterprise tool. This can be really helpful for recovery if a machine can’t talk cleanly on the the network (or if your PAM stack is configured for AD and stops working, or…); an approved SA can connect to the console, login as root and stands a chance of fixing things.
BAU activity by humans definitely shouldn’t be done by logging in as root; I don’t even normally like su or sudo -s; limited set of approved sudo commands to cover every-day activity (providing good audit logs), with unlimited access (su or sudo -s type stuff) being exception break glass with ticket.
But that’s my view of enterprise security controls; this doesn’t necessarily apply to one-offs or homelabs or personal setups.