Allow regular user to update software via GUI and update notifier

I want to demote a user with admin right to a regular user.

But I want to let her continue to do the updates as before via the GUI. Explicitly, allow the updates to happen when asked to do so via the update notifier dialog.

I don't know if it's possible, and if yes, what sudo rules should I use so that that user can do the updates.

I am only familiar with apt command. What command/software are used to get notification about updates, and then to run the update process ?

Is it too complicated and requires administrative privileges after all ?


Solution 1:

The GUI uses Polkit for authentication and authorization. The relevant Polkit actions seem to be, for apt:

org.debian.apt.cancel-foreign
org.debian.apt.change-config
org.debian.apt.change-repository
org.debian.apt.clean
org.debian.apt.get-trusted-vendor-keys
org.debian.apt.install-file
org.debian.apt.install-or-remove-packages
org.debian.apt.install-packages-from-new-repo
org.debian.apt.install-packages.high-trust-repo
org.debian.apt.install-purchased-packages
org.debian.apt.set-proxy
org.debian.apt.update-cache
org.debian.apt.upgrade-packages

Possibly, you might need the following as well, for snaps:

io.snapcraft.login
io.snapcraft.snapd.login
io.snapcraft.snapd.manage
io.snapcraft.snapd.manage-interfaces

Additionally, Ubuntu Software does various actions via PackageKit, so actions for those as well:

org.freedesktop.packagekit.cancel-foreign
org.freedesktop.packagekit.clear-offline-update
org.freedesktop.packagekit.device-rebind
org.freedesktop.packagekit.package-downgrade
org.freedesktop.packagekit.package-eula-accept
org.freedesktop.packagekit.package-install
org.freedesktop.packagekit.package-install-untrusted
org.freedesktop.packagekit.package-reinstall
org.freedesktop.packagekit.package-remove
org.freedesktop.packagekit.repair-system
org.freedesktop.packagekit.system-network-proxy-configure
org.freedesktop.packagekit.system-sources-configure
org.freedesktop.packagekit.system-sources-refresh
org.freedesktop.packagekit.system-trust-signing-key
org.freedesktop.packagekit.system-update
org.freedesktop.packagekit.trigger-offline-update
org.freedesktop.packagekit.trigger-offline-upgrade
org.freedesktop.packagekit.upgrade-system

And for update-manager:

com.ubuntu.update-notifier.pkexec.cddistupgrader
com.ubuntu.update-notifier.pkexec.package-system-locked

And for synaptic:

com.ubuntu.pkexec.synaptic

To configure Polkit privileges, create a .pkla file in /etc/polkit-1/localauthority/50-local.d named, say, allow-pkg-mgmt.pkla, containing:

[Allow Package Management to user foo]
Identity=unix-user:foo
Action=org.debian.apt.*;io.snapcraft.*;org.freedesktop.packagekit.*;com.ubuntu.update-notifier.*
ResultActive=auth_self

See man 8 pklocalauthority for more on configuring Polkit privileges, and the output of pkaction for more actions. For some reason, I had to use ResultActive instead of ResultAny before it would ask for the unprivileged user's password.