Least-privilege sudo for a deploy user
The deploy account has full root via sudo, far more than it needs. Scope it down to exactly one command (restarting the app), graded on the commands the rule actually grants.
Scenario
The CI/CD deploy account needs to restart the app after a release, and that's all. But right now it
has full root through sudo (deploy ALL=(ALL) ALL). If those credentials leak, the whole box is
gone. Scope it down to the one command it actually needs.
Your job
Edit the sudoers drop-in so that deploy:
- can run
systemctl restart myappvia sudo, - cannot run arbitrary commands as root, and
- is scoped to exactly that command (not all of
systemctl, notALL).
The fix is one line in the drop-in: a single command path for deploy, nothing wider.
How it's graded
We parse the rule and check the commands it actually grants deploy. Granting ALL (or bare
systemctl) fails; granting just the restart command passes.
Teaches: least-privilege sudo: scoping elevated access to the single command a role needs.
What gets checked
Your solution is verified against each of these:
- deploy can restart myapp via sudo
- deploy does NOT have full (ALL) sudo
- The grant is scoped to exactly systemctl restart myapp
Solve it in your browser
No setup, no install. Write your solution in the editor and hit Check. The in-house engine renders and grades it instantly, then issues your proof the moment every check passes.
Solve in browser →Prefer your own lab?
- Build the fix locally. New to the tooling? See setting up your lab.
- Push your topology file, device configs, and any playbooks to a public repo (GitHub or GitLab).
- Submit the repo link. We review it by hand, confirm it works, and issue your proof page.