How do I allow a user to only run the apt-get update command with sudo?
Solution 1
Looking at Andre Herman Bezerra's answer, the only problem with this is pointed out in the comments this DOES NOT restrict the user to update only (they can install/remove packages).
If you want to restrict a user to be able to update only you're better off doing the following.
Create a group or use the %staff
group.
In this example, i'm choosing to use the staff user group.
Update the sudoers
document.
export editor="vi" && sudo visudo
Create a Cmnd_Alias
which will define a bash script permitted.
Cmnd_Alias UPDATER_ONLY = /usr/local/bin/updater.sh
You need to define how this command is permitted.
# Require staff to enter password when updating.
%staff ALL= UPDATER_ONLY
# Or, password is not required, just run the updater.
%staff ALL= NOPASSWD: UPDATER_ONLY
Finally, you need to create the shell.
To prevent anyone editing the file this should be owned by root and read-only, or created whilst running sudo.
$ sudo echo '#!/bin/bash' >> /usr/local/bin/updater.sh
$ sudo echo 'sudo apt-get update && sudo apt-get upgrade -y' >> /usr/local/bin/updater.sh
$ sudo chmod 0755 /usr/local/bin/updater.sh
This should look like the following:
$ ls -la /usr/local/bin/updater.sh
-rwxr-xr-x 1 root root 60 Jan 22 08:50 /usr/local/bin/updater.sh*
We're almost done!
You need to remember to permit this privilege by adding the user to the staff group.
sudo usermod -aG staff the-user
If someone attempts to install something this is what they receive:
test-me@comp0:~$ sudo apt-get install test
[sudo] password for test-me:
Sorry, user test-me is not allowed to execute '/usr/bin/apt-get install test' as root on comp0.
Solution 2
First, edit the /etc/sudoers
only with visudo
You can set the permission to the user joe
for apt-get
command only adding the following line:
%joe your_hostname=(root):/usr/bin/apt-get
Once logged in as joe
, you can check the permissions:
sudo -l
Edit: The user will be able to use apt-get update, upgrade, install, etc; since those are just flags for the apt-get command.
Related videos on Youtube
Alex Lowe
Updated on September 18, 2022Comments
-
Alex Lowe over 1 year
I cannot figure out how to allow a user (in this case
test
) to only be able to run theapt-get update
command with thesudoers
file. When ever I try to add the user and then test it out it still does not allow the user to run the command.Can someone please help me out? I have been researching this all day and can still not figure it out. I am probably typing in something wrong.
I'm using Ubuntu 14.04.
-
Admin about 9 yearsIsn't apt get update only available to sudoers ? So if a user not a sudoer the user shouldn't be able to run it
-
Admin about 9 years@Serg I suppose OP wants to restrict a user to only that command (no sudo priveleges).
-
-
kingmilo about 9 years@andre would it not just be /usr/bin/apt-get as the update, upgrade, remove etc are merely flags for that command so if the user can run apt-get they are not restricted to the flags they can use :)
-
Admin almost 2 yearsWhat does
(root)
mean here?