Is it possible to allow non-root users to install packages system-wide using apt or rpm?
The place where I work currently has an out of date setup on the linux boxes, and admins are sick of having to do all the installations for users on request, so they are thinking of giving full sudo rights to all users. This has obvious security disadvantages. So I'm wondering if there's a way to allow normal users to install software – and to upgrade and remove it?
Best Answer
You can specify the allowed commands with sudo, you don't have to allow unlimited access, e.g.
This would allow username to run
sudo apt-getandsudo aptitudewithout any password but would not allow any other commands.You can also use packagekit combined with PolicyKit for some more finer level of control than sudo.
Allowing users to install/remove packages can be a risk. They can pretty easily render a system nonfunctional just by uninstalling necessary software like libc6, dpkg, rpm etc. Installing arbitrary software from the defined archives may allow attackers to install outdated or exploitable software and gain root access. The main question in my opinion is how much do you trust your employees?
Of course your admin team could also start using a configuration management system like puppet, chef or look into spacewalk to manage your system. This would allow them to configure and manage the system from a central system.