51

How can I set the Software Center to allow non-root users to install stuff from the Ubuntu repos without having to type in their password?

I'm fully aware of the security implications, and I am willing to take the risk. Fedora 12 shipped with something like this. (By modifying the PolicyKit configuration, I believe)

Olli
  • 8,971
dieki
  • 3,362
  • 5
    It's important to note that Fedora also backed it out after the sky fell down on them. – Nicholas Knight Jul 28 '10 at 23:34
  • Yeah, I remember that. It really only makes sense on Desktop computers with only one or two users. – dieki Jul 29 '10 at 11:53
  • Bear in mind some app-market software like Software Center allows to change system repositories. A self-service of packages is risky, but users adding untrusted package sources is really dangerous. – Alfonso E.M. Mar 07 '19 at 15:31

5 Answers5

37

You can modify the PolicyKit permissions to allow the users to access the aptdaemon backend that Software Centre uses.

dpkg --listfiles aptdaemon shows that /usr/share/polkit-1/actions/org.debian.apt.policy is the file specifying the actions possible on the aptdaemon backend.

Looking in that file, the < action id=""> tags specify the possible actions. You'd probably want org.debian.apt.install-packages to allow users to install new packages from the archive, and org.debian.apt.update-cache to allow users to update the package lists.

See man pklocalauthority which documents how to set local permissions on PolicyKit actions. Putting the following into /etc/polkit-1/localauthority/50-local.d/10-allow-users-to-install.pkla will allow any user logged in to the local machine to install packages after typing their own password (even when they're not in the admin group) and to update the package cache without typing any password.

[Untrusted Install]
Action=org.debian.apt.install-or-remove-packages
ResultyAny=no
ResultInactive=no
ResultActive=auth_self

[Untrusted Update]
Action=org.debian.apt.update-cache
ResultAny=no
ResultInactive=no
ResultActive=yes
Zanna
  • 70,465
RAOF
  • 11,769
  • Kubuntu's policies (at least in Natty and Oneiric) are in /usr/share/polkit-1/actions/org.kubuntu.qaptworker.policy – Lekensteyn Nov 13 '11 at 12:55
  • Instructions for Kubuntu can be found in my answer – Lekensteyn Nov 13 '11 at 13:49
  • Life saver - cheers mate! I had to add Identity=* to get this to work, adapted from http://askubuntu.com/a/123260. Also, is there any way to get more policy kit log output in e.g. /var/log/auth.log (or any other log files) ? I only get authentication fails messages, but no reason why it failed... – ssc Sep 10 '15 at 16:17
11

I don't think it's currently possible to do so via the GUI, but the following should work, albeit be a little kludgy. YMMV.

Add the following line to /etc/sudoers (use sudo visudo to edit the file):

%packageinstallers ALL = NOPASSWD: /usr/bin/software-center /usr/bin/apt-get

Then you just need to create and add the specific users to the packageinstallers group:

$ sudo addgroup packageinstallers
$ sudo adduser jdoe packageinstallers

Now jdoe can do the following:

$ sudo apt-get install <some-package>

and you can edit the desktop menu item for the Software Center so that it call on software-center prepending the command with gksudo.

PolicyKit may allow you to do so without sudo, but it's beyond my understanding at this point.

lfaraone
  • 4,697
  • Does this let them install from Synaptic or aptitude, or just apt-get? – dieki Jul 28 '10 at 19:55
  • If you were to add "/usr/bin/synaptic" to the list, it would. In fact, you could probably add "/usr/bin/software-center" to the list and it'd work. Haven't tested that though, let me know if it works and I'll update the answer. – lfaraone Jul 28 '10 at 20:01
  • I'll try that. :) – dieki Jul 28 '10 at 20:09
  • That would require that the users know to run software-centre with sudo, or for you to modify the .desktop file.

    See my answer on how to tweak PolicyKit to do what you want.

     – RAOF Jul 29 '10 at 02:24
  • Agreed, that'd be a superior solution. – lfaraone Jul 29 '10 at 02:32
5

If you only need a generic permission to allow/disallow package installation, go for PolicyKit.

Unfortunately PolicyKit doesn't have fine control over the package to install. If you want to give your users permission to install only a restricted set of applications, you should use sudo and install something like softwarechannels...

I also looked for something like that, but since I didn't find anything, I coded this easy solution "softwarechannels", available here on GitHub

It is a very simple system to allow common (non-admin) users to install packages from restricted catalogs.

Just define 'channels' (groups of packages) in a simple text file and give your users permissions to launch softwarechannels.

They will only see packages in channels matching their unix groups.

Zanna
  • 70,465
Alfonso E.M.
  • 81
5

RAOF's answer applies to Ubuntu only. Kubuntu uses QAptWorker as backend (observed for Natty and Oneiric). To allow for non-root installations, create /etc/polkit-1/localauthority/50-local.d/10-allow-non-root-install-packages.pkla containing:

[Update Software Sources]
Action=org.kubuntu.qaptworker.updateCache
ResultAny=no
ResultInactive=no
ResultActive=yes

[Install Software]
Action=org.kubuntu.qaptworker.commitChanges
ResultAny=no
ResultInactive=no
ResultActive=auth_self

I wanted to allow some non-admin users to install software while not granting sudo access directly. That was accomplished by inserting the next lines in both configuration groups:

Identity=unix-user:some-non-admin-user

If there is a group that must be granted permission, use unix-group instead of unix-user.

Community
  • 1
Lekensteyn
  • 174,277
  • To re-apply the rules, I rebooted. (a re-login would probably work too) – Lekensteyn Nov 13 '11 at 21:47
  • How are you supposed to do this? Even after sudo -i I don't even have access to /etc/polkit-1/localauthority (Ubuntu 17.10): "Will not attempt to process directory /etc/polkit-1/localauthority" – JHBonarius Jan 19 '18 at 20:41
0

To make this working in my Ubuntu 18.04, I had to change the /etc/polkit-1/localauthority/50-local.d/10-allow-users-to-install.pkla file to:

[Untrusted Install]
#Action=org.debian.apt.install-or-remove-packages
Action=org.freedesktop.packagekit.package-*
ResultyAny=no
ResultInactive=no
ResultActive=auth_self
Identity=*

[Untrusted Update]
Action=org.debian.apt.update-cache
ResultAny=no
ResultInactive=no
ResultActive=yes
Identity=*

[Admin Install]
#Action=org.debian.apt.install-or-remove-packages
Action=org.freedesktop.packagekit.package-*
ResultyAny=no
ResultInactive=no
ResultActive=yes
Identity=unix-group:adm

Moreover with the last rule I enable everybody in the adm group to install/remove without any password.

Zioalex
  • 151