Linux User and Group Administration with sudo and PAM
I administered users and groups with useradd/usermod, scoped privilege escalation through targeted sudoers rules, and tightened password policy with PAM. Granting specific sudo commands instead of full root enforced least privilege with an auditable trail.
Objective & Context
Account management is foundational access control. This lab creates service and human accounts, manages supplementary groups, writes least-privilege sudoers entries via drop-ins, and sets password aging, aligning to NIST AC-2/AC-6.
Environment & Prerequisites
- Linux with shadow-utils, sudo, and PAM.
- Root/sudo to manage accounts.
visudofor safe sudoers editing.
flowchart LR
U[user] --> S{sudoers rule}
S -->|allowed command| Run[run as root]
S -->|other| Deny[denied + logged]
Step-by-Step Execution
1. Create a user with a primary and supplementary group
useradd -m -s /bin/bash -G web deploy && passwd deploy2. Grant a scoped sudo rule [ROOT REQUIRED]
echo 'deploy ALL=(root) NOPASSWD:/usr/bin/systemctl restart nginx' | visudo -cf -3. Enforce password aging
chage -M 90 -W 7 deploy && chage -l deployMaximum number of days between password change : 90
Validation & Testing
As the new user, confirm the single allowed sudo command works and any other is denied and logged. Pass criteria: least-privilege sudo enforced, group membership grants the intended file access, and password aging applies.
Advanced: Troubleshooting
- Broken sudoers: always edit with
visudo; a syntax error can lock out sudo entirely. - Group change not active: supplementary group changes need a fresh login.
- Locked account: check
passwd -Sand PAM faillock state.
Key Results
- Replaced blanket root with command-scoped sudo rules.
- Managed access via supplementary groups, not per-file grants.
- Enforced 90-day password aging with expiry warnings.
- Kept an auditable trail of privileged command use.