Allow updates to regular users

raspi · 19 September 2020 04:19

Hi,

I just installed fresh Manjaro KDE Stable to my parent’s laptop.

I’ve added them as regular system users so they can’t mess up system settings. I’d like to allow (only) software updates for them. Default system installer installed pamac as the GUI.

Where/how I could allow them to run only the system update utility (pamac-updater)?

Yochanan · 19 September 2020 04:30

Simply put: Anything that writes to the system requires sudo. Period. No ifs , ands , or buts about it.

As I’m sure you know, part of the responsibility of owning a computer (or a car) is learning how to maintain it–or pay someone else to do it.

anon17725764 · 19 September 2020 05:17

The philosophy behind the modern Linux distro… @raspi if you want something similar to how executables can work on Windows without admin look into AppImages

anon17725764 · 19 September 2020 05:20

Sorry, I just completely disregarded what you asked – my fault

sadly updating just requires root privileges, I don’t think there’s any way around that – I’ll try to brainstorm a bit though

raspi · 19 September 2020 05:26

I did the following:

Create /etc/sudoers.d/users with following contents:

raspi ALL=(ALL) ALL
# Allow pamac manager for certain users
parentsname1 ALL=/usr/bin/pamac-manager
parentsname2 ALL=/usr/bin/pamac-manager

Create /etc/polkit-1/rules.d/50-pamac-manager.conf with following contents:

polkit.addRule(function(action, subject) {
  if (action.id == "org.manjaro.pamac.commit" && subject.isInGroup("users"))
  {
    return polkit.Result.YES;
  }
})

Restart PolicyKit:

% sudo systemctl restart polkit

Make sure that the users are in users group:

% groups parentsname1
audio input lp optical storage video users sys network scanner power parentsname1

Now they can run the updates. They can also remove and install apps now. I’ll update this answer if I figure out if I can limit the remove/install. For now this is OK.

So now both parents are listed with “Standard” account type in User Accounts and if they mess with system settings which asks password (PolicyKit), it will fail, but they can update the system (specifically listed in sudoers) , which was that I wanted.

scachemaille · 19 September 2020 06:52

I would create a special group “pamac” or any other group instead of using the users group
And in the sudoers use the new group name instead of each users

%groupname ALL=/usr/bin/pamac-manager

system · 22 September 2020 06:52

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.