Limit what users can install

This is a theoretical scenario that has come up as part of another question:

  • I have x Ubuntu desktops with x users.
  • Users don't have sudo privs
  • I can let them install things through the software center by editing the Policy Kit rules
  • But that would let them install anything (inc games) which is not desirable.

I'm wondering if there's a hack that would be able to limit what sorts of things a user can install.

Packages have a "section" (eg games) so I was wondering if it would be possible to force apt to ignore a whole section of packages. Or perhaps a way of setting up an Apt proxy that does this filtering. Changes can be global (eg even somebody with sudo privs won't be able to install games).

Any ideas welcome.


Before you leave a comment telling me people could just bring their own debs with them, or download tars from the Internet and run them that way, please remember this a theoretical situation.

If it means you'll focus on the question, pretend that my users aren't allowed USB mounts, can't execute things in ~/ and don't have write permissions outside their home. It's locked down. And yes, all of that can be done.


I think you should consider the following:

  1. Create your own custom APT Repository using info from here for example but there are a few more out there.
  2. Sync only what you want users to see
  3. Change your users desktop source lists to this repository

At this point your users should only see what you want them to see. You might also have to do some fancy footwork with firewalls to disable access to default ubuntu sources so that your users don't add them as custom sources and start downloading stuff on their own.