Allow updates to regular users

Hi,

I just installed fresh Manjaro KDE Stable to my parent’s laptop.

I’ve added them as regular system users so they can’t mess up system settings. I’d like to allow (only) software updates for them. Default system installer installed pamac as the GUI.

Where/how I could allow them to run only the system update utility (pamac-updater)?

Simply put: Anything that writes to the system requires sudo. Period. No ifs , ands , or buts about it.

As I’m sure you know, part of the responsibility of owning a computer (or a car) is learning how to maintain it–or pay someone else to do it. :wink:

2 Likes

The philosophy behind the modern Linux distro… @raspi if you want something similar to how executables can work on Windows without admin look into AppImages :wink:

Sorry, I just completely disregarded what you asked – my fault

sadly updating just requires root privileges, I don’t think there’s any way around that – I’ll try to brainstorm a bit though

I did the following:

Create /etc/sudoers.d/users with following contents:

raspi ALL=(ALL) ALL
# Allow pamac manager for certain users
parentsname1 ALL=/usr/bin/pamac-manager
parentsname2 ALL=/usr/bin/pamac-manager

Create /etc/polkit-1/rules.d/50-pamac-manager.conf with following contents:

polkit.addRule(function(action, subject) {
  if (action.id == "org.manjaro.pamac.commit" && subject.isInGroup("users"))
  {
    return polkit.Result.YES;
  }
})

Restart PolicyKit:

% sudo systemctl restart polkit

Make sure that the users are in users group:

% groups parentsname1
audio input lp optical storage video users sys network scanner power parentsname1

Now they can run the updates. They can also remove and install apps now. I’ll update this answer if I figure out if I can limit the remove/install. For now this is OK.

So now both parents are listed with “Standard” account type in User Accounts and if they mess with system settings which asks password (PolicyKit), it will fail, but they can update the system (specifically listed in sudoers) , which was that I wanted.

5 Likes

I would create a special group “pamac” or any other group instead of using the users group :thinking:
And in the sudoers use the new group name instead of each users

%groupname ALL=/usr/bin/pamac-manager

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.