How do I allow a user to only run the apt-get update command with sudo? [duplicate]

security permissions sudo users

I cannot figure out how to allow a user (in this case test) to only be able to run the apt-get update command with the sudoers file. When ever I try to add the user and then test it out it still does not allow the user to run the command.

Can someone please help me out? I have been researching this all day and can still not figure it out. I am probably typing in something wrong.

I'm using Ubuntu 14.04.


First, edit the /etc/sudoers only with visudo

You can set the permission to the user joe for apt-get command only adding the following line:

%joe your_hostname=(root):/usr/bin/apt-get

Once logged in as joe, you can check the permissions:

sudo -l

Edit: The user will be able to use apt-get update, upgrade, install, etc; since those are just flags for the apt-get command.


Looking at Andre Herman Bezerra's answer, the only problem with this is pointed out in the comments this DOES NOT restrict the user to update only (they can install/remove packages).

If you want to restrict a user to be able to update only you're better off doing the following.

Create a group or use the %staff group.

In this example, i'm choosing to use the staff user group.

Update the sudoers document.

export editor="vi" && sudo visudo

Create a Cmnd_Alias which will define a bash script permitted.

Cmnd_Alias UPDATER_ONLY = /usr/local/bin/updater.sh

You need to define how this command is permitted.

# Require staff to enter password when updating.
%staff ALL= UPDATER_ONLY

# Or, password is not required, just run the updater.
%staff ALL= NOPASSWD: UPDATER_ONLY

Finally, you need to create the shell.

To prevent anyone editing the file this should be owned by root and read-only, or created whilst running sudo.

$ sudo echo '#!/bin/bash' >> /usr/local/bin/updater.sh
$ sudo echo 'sudo apt-get update && sudo apt-get upgrade -y' >> /usr/local/bin/updater.sh
$ sudo chmod 0755 /usr/local/bin/updater.sh

This should look like the following:

$ ls -la /usr/local/bin/updater.sh
-rwxr-xr-x 1 root root 60 Jan 22 08:50 /usr/local/bin/updater.sh*

We're almost done!

You need to remember to permit this privilege by adding the user to the staff group.

sudo usermod -aG staff the-user

If someone attempts to install something this is what they receive:

test-me@comp0:~$ sudo apt-get install test
[sudo] password for test-me: 
Sorry, user test-me is not allowed to execute '/usr/bin/apt-get install test' as root on comp0.

Related

Why does pip -t not work on Ubuntu 15.04?
Alternatives to Photoshop and Illustrator [duplicate]
In youtube, There are just 360p and 720p options .(no 240p,480p and 1080p)
Can I execute multiple lines sudo commands?
Reset keyboard layout to default and wipe out all earlier settings
find list of installed device drivers ubuntu
Intel graphics drivers 1.4.0: i915-4.3.3-4.2.0-dkms isn't available, NO_PUBKEY D14BDB0DB3438B6C
Start Windows in virtual machine from real hard drive partion
Copy files that are different only between two large volumes?
How is the response time in the apache logs measured and at what point does it start and stop?
Online Backup Strategy
How do you issue trusted self signed certificates?