How do I allow a user to only run the apt-get update command with sudo? [duplicate]
I cannot figure out how to allow a user (in this case test
) to only be able to run the apt-get update
command with the sudoers
file. When ever I try to add the user and then test it out it still does not allow the user to run the command.
Can someone please help me out? I have been researching this all day and can still not figure it out. I am probably typing in something wrong.
I'm using Ubuntu 14.04.
First, edit the /etc/sudoers
only with visudo
You can set the permission to the user joe
for apt-get
command only adding the following line:
%joe your_hostname=(root):/usr/bin/apt-get
Once logged in as joe
, you can check the permissions:
sudo -l
Edit: The user will be able to use apt-get update, upgrade, install, etc; since those are just flags for the apt-get command.
Looking at Andre Herman Bezerra's answer, the only problem with this is pointed out in the comments this DOES NOT restrict the user to update only (they can install/remove packages).
If you want to restrict a user to be able to update only you're better off doing the following.
Create a group or use the %staff
group.
In this example, i'm choosing to use the staff user group.
Update the sudoers
document.
export editor="vi" && sudo visudo
Create a Cmnd_Alias
which will define a bash script permitted.
Cmnd_Alias UPDATER_ONLY = /usr/local/bin/updater.sh
You need to define how this command is permitted.
# Require staff to enter password when updating.
%staff ALL= UPDATER_ONLY
# Or, password is not required, just run the updater.
%staff ALL= NOPASSWD: UPDATER_ONLY
Finally, you need to create the shell.
To prevent anyone editing the file this should be owned by root and read-only, or created whilst running sudo.
$ sudo echo '#!/bin/bash' >> /usr/local/bin/updater.sh
$ sudo echo 'sudo apt-get update && sudo apt-get upgrade -y' >> /usr/local/bin/updater.sh
$ sudo chmod 0755 /usr/local/bin/updater.sh
This should look like the following:
$ ls -la /usr/local/bin/updater.sh
-rwxr-xr-x 1 root root 60 Jan 22 08:50 /usr/local/bin/updater.sh*
We're almost done!
You need to remember to permit this privilege by adding the user to the staff group.
sudo usermod -aG staff the-user
If someone attempts to install something this is what they receive:
test-me@comp0:~$ sudo apt-get install test
[sudo] password for test-me:
Sorry, user test-me is not allowed to execute '/usr/bin/apt-get install test' as root on comp0.