I want a non admin user to install software. What commands do I need to add to sudoers?

Question

I want to edit the /etc/sudoers file so that a non-admin user can install software via the Software Center in Linux Mint 10. The reason for this is that I want a user to have the capability to install programs, but not make any other configuration changes to the system.

So far I have the following (some of these may not make sense, I was just trying whatever I thought of)

username ALL= /usr/bin/aptitude 
username ALL= /usr/bin/dpkg 
username ALL= /usr/local/bin/apt-get 
username ALL= /usr/lib/linuxmint/mintUpdate/mintUpdate.py
username ALL= /usr/bin/software-center
username ALL= /usr/bin/synaptic

So far, it allows me to do updates without asking for my password, but it will not let me install software without entering an admin password.

I am aware of this question, How can I set the Software Center to install software for non-root users?, but this goes the route of modifying the PolicyKit, whereas I'm interested in a sudo solution, because it seems a simpler way to go.

If you read the answer/comments to that question that wasn't accepted, you'll see the problem with doing this through sudo. As software-center uses policykit to gain privileges, it is not actually run with sudo. Doing this with sudo would "would require that the users know to run software-centre with sudo, or for you to modify the .desktop file." — andrewsomething, Mar 10 '11 at 16:26
possible duplicate of How can I set the Software Center to install software for non-root users? — andrewsomething, Mar 10 '11 at 16:27
I see. I tried the PolicyKit answer and it didn't work, but I will double-check my implementation. — Chance, Mar 10 '11 at 17:45
"admin" and "non-admin" roles become very fuzzy when making modifications to enable this kind of thing. — belacqua, Mar 11 '11 at 01:06
FYI, So I did the PolicyKit solution, but I wasn't able to run the update applet in the task bar unless I had the mintUpdate line in my sudoers file. — Chance, Mar 18 '11 at 12:47

score 6 · Answer 1 · answered Mar 10 '11 at 21:40

Note that giving users access to dpkg (or to a smaller extent any other package managers) effectively gives them complete root access. There is nothing stopping such a user from creating a totally new package with a setuid shell and installing it via dpkg, and then running that shell to gain full root privileges.

score 3 · Accepted Answer · answered Mar 10 '11 at 15:09

3

Sudo may be the more simple method, but PolicyKit is the more secure solution, afaik. You should go with the method outlined in the question you linked to.

answered Mar 10 '11 at 15:09

RolandiXor

51,541

2

Thanks. That solution (http://askubuntu.com/questions/3/how-can-i-set-the-software-center-to-install-software-for-non-root-users/258#258) originally didn't work for me, but I looked in /usr/share/polkit-1/actions/org.debian.apt.policy to find the various "action id" entries that I needed. Then, I looked at this link (http://hal.freedesktop.org/docs/polkit/pklocalauthority.8.html#pklocalauthority-examples) to fine tune it. – Chance Mar 12 '11 at 04:03

score 1 · Answer 3 · answered Mar 10 '11 at 14:55

If all only want them to be able to install programs you should be able to get by with only one program. I might give them access to run /usr/bin/apt-get install. If you aren't running automatic updates, then you may need to add /usr/bin/apt-get update. To correct broken installs they may need /user/bin/dpkg -C -a.

Alternatively, you could enable synaptic, software-center, or aptitude. Then you can point your users at the appropriate module.

Allowing users to uninstall packages could lead to functionality you consider being removed.

I want a non admin user to install software. What commands do I need to add to sudoers?

3 Answers3