sudo and update-manager

Thank you for taking the time to report this issue and helping to make Ubuntu better. Examining the information you have given us, this does not appear to be a bug report so we are closing it and converting it to a question in the support tracker. We appreciate the difficulties you are facing, but it would make more sense to raise problems you are having in the support tracker at https://answers.launchpad.net/ubuntu if you are uncertain if they are bugs. For help on reporting bugs, see https://help.ubuntu.com/community/ReportingBugs

Thank you.

Hi Hugues,

I can't be sure, but I think the entry in your sudoers file relating to update manager needs changing slightly.

From the command line, enter the following command to edit your sudoers file:
    sudo visudo

Then change your "update-manager" line to read:
    ALL ALL=NOPASSWD: /usr/bin/update-manager

Save the file and exit. I've tested this and it works for me :) Also, I'm not sure if the positioning of the entry makes any difference or not, but I seem to remember having issues with something similar in the past, I solved it by placing my command at the bottom, on the very last line.

Hope this helps, let us know how you get on.

Cheers

Philip

Hi and thanks a lot for your answer,

I will take more time to try explain my problem. Sorry for my English.

My case :

- I have several machines on Ubuntu Gutsy for my office.
- Users don't have any administration rights, they don't belong to admin group. ( 'useradd test' in terminal).
- I want them to give right using update-manager and update-notifier. So they can only update packages. This is the administrator job to install new packages.
- So i try to use the sudoers file, see just before.
- When i try it, I have 2 cases when push the button updates: * No right to use synaptic.
                                                                                                   * or just the progress bar and nothing else.

An idea ?

Thank you

Ah, okay. Thank you for the additional info, I may have been a little hasty with my previous answer :)

Sorry to answer a question with a question, but why not use a crontab command to automatically update your machines? Something like:

    @daily root (apt-get update && apt-get -y -d upgrade) > /dev/null

or

    45 8 * * * root (apt-get update && apt-get -y -d upgrade) > /dev/null

The top crontab entry would run every day at midnight, probably not too good if you switch your machines off overnight. The second command would run every morning at 08:45, maybe a better solution [adjust the time as needed].

Using this method would mean your users would not need to manually update. Some helpful info about cron can be found at: https://help.ubuntu.com/community/CronHowto

Also, you may want to look into cron-apt: https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo

Sorry, if this wasn't the answer you were looking for; however, you may find it to be a better solution. Hope it helps :)

Hi Philip and thanks for quick answer.

It's a good idea to automatically update machines.

But I have some Constraint :

- Users don't have powerful machines, sometimes uprade takes lots of processor resources and users need to take control of there computer for there work, that's why I want to give them the choice updating.
- At end, all computers will have Ubuntu distribution. We talk about 70 000 machines on all french country ( French administration). If upgrade at 8:00 for example all machines will do a GET request at the same times which is not a good thing for our network.

I still don't understand why it doesn't work when we give right for /usr/bin/update-manager in the sudoers file.
And if there is a solution, I would like use the update-notifier to.

Cheers

Hugues

Hi Hugues,

if we are really talking about such a network size, you should maybe think about a proper system management tool. Maybe Landscape would be worth to look at: http://www.canonical.com/projects/landscape

Hi Hugues

Okay, so 70,000 machines places a different perspective on the problem :-)

Forgetting the automatic updates for the time being, the original problem could [?] have something to do with the fact that update-manager is just a front end/GUI for synaptic. It sounds like you have enough machines to spare one for testing, so why not try adding a line like this to your sudoers file?

    ALL ALL=NOPASSWD: /usr/sbin/synaptic

All my systems are up to date, so I can't test the above; however, it'll be interesting to know if it solves your initial question? Obviously, if it does work, it will pose another problem as it will mean users will be able to use synaptic to install/remove applications etc.

Cheers

Philip

I do confirm that adding synaptic as described by Philipp does solve the issue as I was able to update a computer with an unpriviledged user once sudoers is modified.

The issue of the supplemental rights that provides to the user is not a not a small one however...

You can put the following line:
ALL ALL=NOPASSWD: /usr/bin/update-manager

into the /etc/sudoers file *and* then you need to run update-manager with gksu.

The current default in gutsy and hardy is to run it without gksu. My current development release of update-notifier contains two new options "--force" to force running it even if the user is not in the admin group and "--force-use-gksu" to ensure that update-manager is run with via sudo. If you add those two options to /etc/xdg/autostart/update-notifier.desktop then it should work as expected (with the modifed update-notifier that is).

The alternative solution would be the he unattended-upgrades package. It could be used to automatically install updates. It will also do a random sleep at the start of the cron job (default between 1s - 30min) so that the network is not hammered all at the same time. See /usr/share/doc/unattended-upgrades/README for more details.

I hope this helps, please let me know if you have any further questions.

Hi Huggues,

I wonder if you have solved this issue yet. I want to contribute a little.

My suggestion would be to use the automatic update with the "unattended-upgrades" package and set up the "apt-cacher-ng" to ease the load on the network.

With apt-cacher-ng you will be able to download the updates once from the internet. Then, as you setup the machines to use the apt-cacher-ng as a proxy, they will download the update packages from the proxy machine (where you installed the apt-cache-ng package).

With this setup you will only use Internet bandwidth once (to get the packages) and internal network bandwidth to update the rest of the 70,000 machines. I am assuming there is only one connection to the Internet, else, each network will need one apt-cache-ng enabled machine to get the setup working.

If you use the proxy machine on the installation, the proxy setting will be added to apt, somewhere on /etc/apt/* (I believe it would be on /etc/apt/apt.conf).

Links of interest:

apt-cache-ng
http://www.ubuntugeek.com/apt-cacher-ng-http-download-proxy-for-software-packages.html
http://ubuntuforums.org/archive/index.php/t-981085.html