How to limit users to update or upgrade installed packages on their UBUNTU 20.04 installation but not allow installing packages using sudo and aptitude

By default on UBUNTU/DEBIAN users require membership in “adm” or “sudo” groups, to gain the right to use sudo freely. However there are many situations where you want regular users to be able to update and upgrade their system any time, even without using a password every time. For example:

To shutdown and power off a workstation i provide my users a desktop script, which first updates the apt cache, performs a safe-upgrade and then halts and powers off the computer if successful. So system keeps somewhat up to date and it wont bother the user.

So to grant every user the right to use my shut-down-script OR apt|aptitude update|safe-upgrade without being asked for their password i did this:

  1. Create new sudoers file under /etc/sudoers.d/ :
    cat << 'EOF' > /etc/sudoers.d/allow-aptitude-upgrades
    ALL ALL=(root) NOPASSWD: /usr/bin/aptitude update, /usr/bin/aptitude full-upgrade -yy, /usr/bin/aptitude safe-upgrade -yy
  2. From now on every user may issue these commands without any password.
it-artikel/linux/how-to-limit-users-to-update-or-upgrade-installed-packages-on-their-ubuntu-20.04-installation-but-not-allow-installing-packages-using-sudo-and-aptitude.txt · Last modified: 2022-08-31 12:30 by