Allow regular user to update software via GUI and update notifier
I want to demote a user with admin right to a regular user.
But I want to let her continue to do the updates as before via the GUI. Explicitly, allow the updates to happen when asked to do so via the update notifier dialog.
I don't know if it's possible, and if yes, what sudo rules should I use so that that user can do the updates.
I am only familiar with apt
command.
What command/software are used to get notification about updates, and then to run the update process ?
Is it too complicated and requires administrative privileges after all ?
Solution 1:
The GUI uses Polkit for authentication and authorization. The relevant Polkit actions seem to be, for apt:
org.debian.apt.cancel-foreign
org.debian.apt.change-config
org.debian.apt.change-repository
org.debian.apt.clean
org.debian.apt.get-trusted-vendor-keys
org.debian.apt.install-file
org.debian.apt.install-or-remove-packages
org.debian.apt.install-packages-from-new-repo
org.debian.apt.install-packages.high-trust-repo
org.debian.apt.install-purchased-packages
org.debian.apt.set-proxy
org.debian.apt.update-cache
org.debian.apt.upgrade-packages
Possibly, you might need the following as well, for snaps:
io.snapcraft.login
io.snapcraft.snapd.login
io.snapcraft.snapd.manage
io.snapcraft.snapd.manage-interfaces
Additionally, Ubuntu Software does various actions via PackageKit, so actions for those as well:
org.freedesktop.packagekit.cancel-foreign
org.freedesktop.packagekit.clear-offline-update
org.freedesktop.packagekit.device-rebind
org.freedesktop.packagekit.package-downgrade
org.freedesktop.packagekit.package-eula-accept
org.freedesktop.packagekit.package-install
org.freedesktop.packagekit.package-install-untrusted
org.freedesktop.packagekit.package-reinstall
org.freedesktop.packagekit.package-remove
org.freedesktop.packagekit.repair-system
org.freedesktop.packagekit.system-network-proxy-configure
org.freedesktop.packagekit.system-sources-configure
org.freedesktop.packagekit.system-sources-refresh
org.freedesktop.packagekit.system-trust-signing-key
org.freedesktop.packagekit.system-update
org.freedesktop.packagekit.trigger-offline-update
org.freedesktop.packagekit.trigger-offline-upgrade
org.freedesktop.packagekit.upgrade-system
And for update-manager:
com.ubuntu.update-notifier.pkexec.cddistupgrader
com.ubuntu.update-notifier.pkexec.package-system-locked
And for synaptic:
com.ubuntu.pkexec.synaptic
To configure Polkit privileges, create a .pkla
file in /etc/polkit-1/localauthority/50-local.d
named, say, allow-pkg-mgmt.pkla
, containing:
[Allow Package Management to user foo]
Identity=unix-user:foo
Action=org.debian.apt.*;io.snapcraft.*;org.freedesktop.packagekit.*;com.ubuntu.update-notifier.*
ResultActive=auth_self
See man 8 pklocalauthority
for more on configuring Polkit privileges, and the output of pkaction
for more actions. For some reason, I had to use ResultActive
instead of ResultAny
before it would ask for the unprivileged user's password.