Update Manager doesn't ask for a password

This is a deliberate change in behaviour (source):

As of Ubuntu 11.10, update-manager no longer prompts for the user's password to apply updates. This was decided to improve usability and to make it easier for users to apply security updates and therefore increase system security. The rationale is as follows:

  • Like in previous releases, by default only people in the admin group are allowed access to perform security updates.

  • Only updates for already installed software can be applied without a password. Installing additional software still requires people to enter their password.

  • The password prompt had become an irritant for some people such that they would just press 'Cancel' instead of installing the updates. The password prompt decreased system security for those users.

  • People that did dutifully apply updates became conditioned to enter their privileged password perhaps daily. When the user is prompted for the password, it should mean something and the frequency of update-manager updates meant that some people no longer thought about why they were entering their password. For these users, the password prompt had the potential to reduce security.

For environments where this change is deemed not appropriate, this functionality can be disabled by the administrator via PolicyKit or by creating users that are not in the admin group (a recommended practice to begin with).

The relevant PolicyKit policy is in the file /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla:

[Update already installed software]
Identity=unix-group:admin
Action=org.debian.apt.upgrade-packages
ResultActive=yes

This grants permission for anybody in the admin group to update packages without having to enter a password. I've never used PolicyKit before now, but based on my reading of the manpage for pklocalauthority, to override this you should create a this file..

/var/lib/polkit-1/localauthority/50-local.d/require-password-to-update.pkla

you'll need superuser priviledges to create it, so use this command...

gksudo gedit /var/lib/polkit-1/localauthority/50-local.d/require-password-to-update.pkla

which will open a new file in gedit and put the following policy entry in it:

[Require password to upgrade already installed software]
Identity=unix-group:admin
Action=org.debian.apt.upgrade-packages
ResultActive=auth_admin

Save this and exit gedit, you can now open update manager and it will ask you to confirm your password before applying any updates.