Server User and Group Administration with Least-Privilege Sudo
You will provision server accounts with role-based groups, scoped sudo rules, password aging, and lockout on failed logins. By the end, access is least-privilege and every privileged action is auditable.
Learning Objectives
- Create role groups and assign users to them.
- Write a least-privilege sudoers drop-in safely.
- Apply password aging and account lockout.
- Time: ~2 hours · Difficulty: Intermediate · Prereqs: a server with root/sudo.
Architecture Overview
graph TD
U[User] -->|member of| G[Role group: ops]
G -->|sudoers drop-in| S{Allowed command?}
S -->|yes| Run[Run as root + logged]
S -->|no| Deny[Denied + audited]
Environment Setup
You will need: shadow-utils, sudo, and PAM faillock (default on Ubuntu/RHEL).
Before you begin: keep a second root session open while editing sudoers.
Step-by-Step Execution
01
Create a role group and user
Groups let you grant access by role rather than per user, which scales cleanly.
sudo groupadd ops && sudo useradd -m -s /bin/bash -G ops deploy && sudo passwd deploy[ROOT REQUIRED] Creates the ops group and a member user.
02
Grant a scoped sudo rule with visudo
Editing through visudo validates syntax so a typo cannot lock everyone out of sudo.
echo '%ops ALL=(root) /usr/bin/systemctl restart nginx, /usr/bin/journalctl' | sudo EDITOR='tee' visudo -f /etc/sudoers.d/ops03
Apply password aging and lockout
# chage -M 90 -W 7 deploy && faillock --user deploy
deploy:
When Type Source Valid
(no failed logins)
Progress So Far
graph LR
A[01 Group + user] -->|done| B[02 Scoped sudo]
B -->|done| C[03 Aging + lockout]
style A fill:#1a4a1a,stroke:#00ff00,color:#fff
style B fill:#1a4a1a,stroke:#00ff00,color:#fff
style C fill:#1a4a1a,stroke:#00ff00,color:#fff
Testing & Validation
sudo -l -U deploy && chage -l deployYou should see only the two allowed sudo commands and the 90-day aging policy. If so, least-privilege access is enforced.
Troubleshooting
- Broken sudoers locks out sudo: use the open root session and run
visudo -cto find the error. - Group change not effective: the user must log out and back in.
- Account locked: reset with
faillock --user deploy --reset.
Extension Ideas
- Centralize accounts with LDAP or FreeIPA for many servers.
- Pair with SSH Hardening for key-only access.
- Ship sudo logs to your SIEM from Log Management.
Key Results
- Granted access by role group rather than per-user edits.
- Limited sudo to 2 explicit commands, fully audited.
- Enforced 90-day password aging with lockout on failures.
- Confirmed effective privileges with
sudo -l.