Why can't non-admin users install software?

security password windows sudo

Solution 1:

Why you're asked for a password

Most software is designed to touch sensitive files, i.e. sensitive to the security of your private data or the systems integrity. This is why software installation is a potential risk and should be validated by a user who knows what he is doing. Even for open source Software you can not be sure that no bad code bits arrive with your percious new audio player until someone checked. And even then something could have been overlooked or packages could be manipulated on the way. Who knows what's hidden in the depth of the program? One user should.

Ubuntu provides a comfortable way of installing software. Software developers can rely on that comfort and make the assumption that synaptic/software center/apt enables them to access these sensitive files. Canonical checks the software repository for bugs and malicious code. But the ultimate responsibility is yours.

If the software in question does not need access to sensitive files, it can (in principle) be installed in the home folder though not in the Ubuntu way. You will for instance have to compile the source code yourself or run a custom install script. Beside the greater efforts of that it has the disadvantage of not allowing other users access to your just installed program (as they have no right to access your home-folder). They will need to installed it a second time. So this way of installation makes no sense in a large scale and in a small scale it's usually easier to type a password than to install software manually.

So that's why Synaptic aaks for a password and why it's good that it does.

Sudoers

If you are really in dire need of having other users install software without password, you can add them to the sudoers list. This however will result in a great security risk. If that doesn't concern you, consider that there a bot networks out there with great resources to break into your computer via Internet. They do this just to add your computer to the net and use it's connection and computing power without your knowledge to do all sorts of illegal stuff. They are not even after your personal data your you for that matter. They just want to hijack your PC. Still not concerned? Really? Then look at the following answer which is a small how-to on the workings of sudoers list:

How to make Ubuntu remember forever the password after the first time

Read that carefully. You could lock yourself out of the system.

The scare is over

So now you have the scare behind you are and taking the matter seriously, I can tell you it's really not that bad. If you trust the people working on your computer, and you don't have programs installed that allow remote access to your system (e.g. an ssh- or ftp-server), then it's really not that dangerous to disable the password stuff. Just don't do it without considering the worst case and think of your private data.

Overlook on the proceedings (don't do this lightly - see text and link above):

# in shell type these commands
sudo su       # in case you do something stupid, you'll have a root shell open
select-editor # (optional) will allow you to select text editor
visudo        # secure way to open sudoers list

An editor will open ADD a line like this:

confus confusion=(root) NOPASSWD:/usr/sbin/synaptic,/usr/bin/software-center

Syntax explanation: username machine=(usernameToRunCommandAs) command1,command2,.... So the above line allows confus to run synaptic and softwarecenter as root without password query. You will still need to start it with sudo synaptic or gksudo synaptic or put an alias `alias synaptic='sudo synaptic' in your shell profile.

Solution 2:

They can not. Here is the deal.

  1. The 1st user created in Ubuntu is considered a special user: this is a user with administration permissions. This means when ever this user wants to do admin tasks he will be prompted for his admin password. Those tasks are issued by putting sudo in front of a command.

  2. All other users (unless you change it yourself) are normal users and can not install sofware system wide unless the admin (1st user) lets them do so. Normal user can only put things in their own home and if they want to they can mess up their home directory.

This way 1 person is responsible for the system.

You could make more than 1 user an admin (so able to install software) by adding those users to the sudoers file.

Besides that they can install software in their home but this does depend on the software: sometimes the installer wants to add it to the system and that is not allowed. These installs tend to be from source so it is not the easiest method ;)

Solution 3:

In Ubuntu, the administrator has root privileges (often referred as just "root", as in "you need to be root").

Access to files can be split in three types:

  • read (numeric value 4)
  • write (numeric value 2)
  • execute (numeric value 1)

These attributes can be set on every file or directory. Furthermore, these restrictions can be set on:

  • the owner of the file
  • the group of the file (users can be a member of this group)
  • all other users which are not the owner nor in the group

These principles forms the basics of Linux file permissions. In windows, everything can be executed. Give it an .cmd or .exe extension for example. In Ubuntu, you need to add the execute bit explicitly, otherwise a permission error will be raised.

When an user executes a program, the program accesses files as that user and these file permissions kicks in. By default, locations where programs are installed are privileged, only the owner can write. This owner is root. All other users can only read and execute the program, not write to it. That's why you need root privileges to install programs.

Ubuntu has a special program called sudo (SuperUser DO ...) to run programs with root privileges. This can be used for installing software. When run, the sudo program asks you for your user password. Note that only members of the admin group can run programs as root using sudo.

In Windows, you would go to a website and download an installer. Ubuntu works with a software repository in which you can search for programs and install those. These programs are reviewed before added to the official repositories, so you can be sure that no harmful intentions exist in the programs.

Solution 4:

Non-admin users cannot install software because the packages run as root when they're installing as they install to privileged parts of the system, run maintainer scripts, etc.

There is currently no way to tell the system "Install firefox from this .deb but in a user's home directory so that it's isolated from the rest of the system"; which is why currently it's mostly an all or nothing affair. (This is also why running third party .debs is bad, the package and it's included scripts have root access to your system)

Related

HPLIP Driver install fails on Ubuntu 20.04
Xorg: High CPU Usage (94%) on Moving Mouse (Ubuntu 18.04)
Turn off smooth scrolling in GTK3
"FAT-fs: IO charset iso8859-1 not found" error while mounting FAT Drives
Ubuntu 18.04 not detecting full RAM size
I continue to get this when trying to log into ubuntu one from the ubuntu desktop [duplicate]
How to set nautilus to --no-desktop via gconf
Ubuntu 14.04 mouse and window focus issues
What is the correct usage "Last time/The last time"
Is there a word or words to describe a workplace where employees end up managing managers?
Present perfect or simple past with "for the last twenty minutes"?
Last time/The last time