Is it possible to allow non-root users to install packages system-wide using apt or rpm?
The place where I work currently has an out of date setup on the linux boxes, and admins are sick of having to do all the installations for users on request, so they are thinking of giving full sudo rights to all users. This has obvious security disadvantages. So I’m wondering if there’s a way to allow normal users to install software – and to upgrade and remove it?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
You can specify the allowed commands with sudo, you don’t have to allow unlimited access, e.g.
username ALL = NOPASSWD : /usr/bin/apt-get , /usr/bin/aptitude
This would allow username to run sudo apt-get and sudo aptitude without any password but would not allow any other commands.
You can also use packagekit combined with PolicyKit for some more finer level of control than sudo.
Allowing users to install/remove packages can be a risk. They can pretty easily render a system nonfunctional just by uninstalling necessary software like libc6, dpkg, rpm etc. Installing arbitrary software from the defined archives may allow attackers to install outdated or exploitable software and gain root access. The main question in my opinion is how much do you trust your employees?
Of course your admin team could also start using a configuration management system like puppet, chef or look into spacewalk to manage your system. This would allow them to configure and manage the system from a central system.
Method 2
From the man pages:
aptdcon: allows to perform package management tasks, e.g. installing or removing software, using aptdaemon. There isn’t any need to be root to run this program.
Method 3
username ALL = NOPASSWD : /usr/bin/yum, /bin/rpm
Method 4
For me on the Debian 10 the option with visodo required additional steps:
- Add yourself to the sudousers:
Login as root via su -, open sudo editor by visudo and add next lines:
%yourusername% ALL=NOPASSWD: /usr/bin/apt-get install %yourusername% ALL=NOPASSWD: /var/lib/dpkg/lock-frontend
-
Exit session(root and yours) typing
exit<Enter>exit<Enter> -
Reopen it and type:
sudo chown %yourusername%: /var/lib/dpkg/lock-frontend chmod u+w /var/lib/dpkg/lock-frontend sudo chown %yourusername%: /var/lib/dpkg/lock chmod u+w /var/lib/dpkg/lock sudo chown %yourusername%: /var/cache/apt/archives/lock chmod u+w /var/cache/apt/archives/lock sudo chown %yourusername%: /var/lib/apt/lists/lock chmod u+w /var/lib/apt/lists/lock
PS: I also added the visudo file lines to allow myself to update repos list:
%yourusername% ALL=NOPASSWD: /usr/bin/apt-get update
Method 5
I also looked for something like that, but nothing showed up, so I coded this easy solution “softwarechannels”:
https://github.com/alfem/softwarechannels
It is a very simple system to allow common (no admin) users to install packages from restricted catalogs.
Just define ‘channels’ (groups of packages) in a simple text file and give your users permissions to launch softwarechannels.
They will only see packages in channels matching their unix groups.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0