How to enable update-notifier and sudo update-manager for non-admin users (Ubuntu 10.04)?

Asked by Kenrick Bingham on 2010-06-06

I would need to have regular users be automatically notified about (security) updates on their Ubuntu 10.04 laptops and install them.

If there are updates available, update-notifier seems to automatically start update-manager for members of the admin group. Adding the users to the admin group is not an option, since I would not like to give them full root access.

I tried adding the line

  ALL ALL=NOPASSWD: /usr/bin/update-manager

in /etc/sudoers. This allows starting update-manager through sudo, but th update-manager windows does not seem to pop up automatically through update-notifier when updates are available.

Our end users might agree to click on "install updates" if the window pops up, but will not run update-manager on their own even if I ask them to. :-)

Question information

English Edit question
Ubuntu update-notifier Edit question
No assignee Edit question
Solved by:
Montel Edwards
Last query:
Last reply:
Montel Edwards (montel) said : #1

As far as I know doing this would mean that you would have to give the user also permission to install packages, remove, and purge packages in the system; I do not believe that you would want this.

Besides, if one user were to do upgrades, if would effect the system globally.

Kenrick Bingham (loxo) said : #2

Thank you!

I am talking about laptops that we lend to members of our staff. The loan periods sometimes extend to several months, so it would be good if they could easily install security updates.

As each laptop is only used by one user at a time, the effect of the uprades on the system "globally" would be no problem during the uprade. Shouldn't it also be reasonably safe to assume that upgrades within a stable distribution normally do not affect the user experience too much?

For a laptop, unattended upgrades through cron-apt or some such is not a solution, since there is a fair chance that the laptop would be powered down during the upgrade. I would also want the user to have control on when to download the upgrades, depending on the network connections available.

The main reason why I would not want to give the users full administrative right is that I would not like them to be able to mess up the system configuration too easily. I would like to be able to give a "clean" system to the next person borrowing the laptop by simply restoring a clean home directory. The aim is not to make absolutely sure that the user (with full physical access to the system, including the possibility to reboot when (s)he wants) cannot get root - this would sound difficult if not impossible.

So I would be more or less happy if I could achieve the following:

- The user does not have full administrative rights
- The upgrade-manager window automatically pops up notifying the user of any updates available
- The user can download and install the updates when (s)he wants
- If necessary, the user might be able to install/uninstall/purge packages by running a command, but not just by pointing and clicking
- I don't need to write a program of my own for this. :-)

Does anybody know of a simple solution?

Launchpad Janitor (janitor) said : #3

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Kenrick Bingham (loxo) said : #4

Anybody? Or do you think I should rather add this as a wishlist bug?

Montel Edwards (montel) said : #5

Eh sorry I forgot about running sudo per command.

Try editing your '/etc/sudoers' with the command 'visudo' as root and adding this.

$USER localhost=$COMMAND

so in this case i bet adding 'kenrick localhost=update-manager' would work. If your username is kenrick.

Just 'man sudo' if you need more help.

Montel Edwards (montel) said : #6

take that back.
'man sudoers'

Kenrick Bingham (loxo) said : #7

Thanks for the hint. I changed that to

   ella myhostname=/usr/bin/update-manager

because a) without the full path, visudo barfed ">>> /etc/sudoers: syntax
error near line 34 <<<", and b) with localhost instead of myhostname
(which is the contents of /etc/hostname) I just got "ella is not allowed
to run sudo on myhostname..." when she tried.

This allows ella to run "sudo update-manager" to update packages.

However, this is not what I was looking for: I would want the
update-manager to automatically come up when there is something to update.
(Was I unclear in my original question?)

I have been testing the configuration for several weeks now, with many
package updates being introduced during this time, and no: the update
manager window does not come up.

Best Montel Edwards (montel) said : #8

I think that it would then just be smarter to have a cron job to run the commands
'sudo apt-get update;sudo apt-get dist-upgrade' every couple of days, if you want automatic upgrades.

And, you for what you want you have to set the update manager to automatically check for updates. Ubuntu does not "push" updates to systems, we have to run 'sudo apt-get update' to update our local resporitorys for updates. I believe you could change this in running the graphical configuration utility for updatemanager

'gksu /usr/bin/software-properties-gtk'

Kenrick Bingham (loxo) said : #9

Thank you again, Montel!

However, the problem is that these are laptops that I am talking about.
The users need to be aware of when the systems are being updated so that
they do not suspend or shut down at the wrong moment. Better even, they
should be able to pick a time to update that suits them.

In theory, I do not see anything that would prevent update-manager to be
run automatically for a user that has no other sudo rights. Do you?

Maybe I should file this as a wishlist bug for update-manager?

Kenrick Bingham (loxo) said : #10

Thanks Montel Edwards, that solved my question.