-1

My workflow involves an Ubuntu system shared with many other people, with some of them being sudoers. Some sudoers have accidentally removed packages when they were trying to install new ones and this caused chaos, be it packages others need or themselves need.

How can I ensure that package managers "lock" packages from removal or at the least display a custom warning message to remind the sudoer about a user's dependency before package removal ?

muru
  • 197,895
  • 55
  • 485
  • 740
kesari
  • 139
  • 1
  • 8
  • 4
    There are already warnings before package removal...that those administrators are ignoring, bypassing and/or disabling. Seems like a training issue with those administrators more than an Ubuntu issue. – user535733 Jan 02 '18 at 17:30
  • @user535733 Please check the question now. – kesari Jan 03 '18 at 02:41
  • 2
    Basically, your question seems to boil down to "how can I --force apt protections on people who already ignore them?". I doubt you can. It may be possible to limit their access to apt by editing the sudoers file, but there are many possible workarounds; that may also be more complex than is conveniently worthwhile. You may find it more productive to simply revoke the abusers' admin rights. – user535733 Jan 03 '18 at 03:23

1 Answers1

2

I agree with user535733 in that you should be training your users who have sudo privileges to not go about removing packages when they don't know what those packages are for.

However, in newer versions of apt (> 1.4 - at least Ubuntu 17.04), you can mark a package as "essential" or "important". In Debian bug #767891, a patch was accepted that allows you to do something like:

sudo apt-get -o pkgCacheGen::ForceEssential=gedit update

To mark a package as Essential (or Important) - in this example, the gedit package. For essential packages, apt shows a warning that is much harder to dismiss:

~ sudo apt-get remove bash
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED
  bash bash-completion lightdm ubuntu-desktop
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
  bash
0 to upgrade, 0 to newly install, 4 to remove and 26 not to upgrade.
After this operation, 7,776 kB disk space will be freed.
You are about to do something potentially harmful
To continue type in the phrase ‘Yes, do as I say!’
 ?]

Yes, you actually have to type in the exact phrase, including punctuation.

Before apt 1.4, you could install a dummy package using equivs or something similar that is marked "essential" and depends on the packages you want to show the warning for. Then, any attempt to remove those packages will result in removal of the essential dummy package, showing the warning.

muru
  • 197,895
  • 55
  • 485
  • 740