How do I allow a user to only run the apt-get update command with sudo?

permissions sudo security users

16,744

Solution 1

Looking at Andre Herman Bezerra's answer, the only problem with this is pointed out in the comments this DOES NOT restrict the user to update only (they can install/remove packages).

If you want to restrict a user to be able to update only you're better off doing the following.

Create a group or use the %staff group.

In this example, i'm choosing to use the staff user group.

Update the sudoers document.

export editor="vi" && sudo visudo

Create a Cmnd_Alias which will define a bash script permitted.

Cmnd_Alias UPDATER_ONLY = /usr/local/bin/updater.sh

You need to define how this command is permitted.

# Require staff to enter password when updating.
%staff ALL= UPDATER_ONLY

# Or, password is not required, just run the updater.
%staff ALL= NOPASSWD: UPDATER_ONLY

Finally, you need to create the shell.

To prevent anyone editing the file this should be owned by root and read-only, or created whilst running sudo.

$ sudo echo '#!/bin/bash' >> /usr/local/bin/updater.sh
$ sudo echo 'sudo apt-get update && sudo apt-get upgrade -y' >> /usr/local/bin/updater.sh
$ sudo chmod 0755 /usr/local/bin/updater.sh

This should look like the following:

$ ls -la /usr/local/bin/updater.sh
-rwxr-xr-x 1 root root 60 Jan 22 08:50 /usr/local/bin/updater.sh*

We're almost done!

You need to remember to permit this privilege by adding the user to the staff group.

sudo usermod -aG staff the-user

If someone attempts to install something this is what they receive:

test-me@comp0:~$ sudo apt-get install test
[sudo] password for test-me: 
Sorry, user test-me is not allowed to execute '/usr/bin/apt-get install test' as root on comp0.

Solution 2

First, edit the /etc/sudoers only with visudo

You can set the permission to the user joe for apt-get command only adding the following line:

%joe your_hostname=(root):/usr/bin/apt-get

Once logged in as joe, you can check the permissions:

sudo -l

Edit: The user will be able to use apt-get update, upgrade, install, etc; since those are just flags for the apt-get command.

16,744

Alex Lowe

Updated on September 18, 2022

Comments

Alex Lowe over 1 year

I cannot figure out how to allow a user (in this case test) to only be able to run the apt-get update command with the sudoers file. When ever I try to add the user and then test it out it still does not allow the user to run the command.

Can someone please help me out? I have been researching this all day and can still not figure it out. I am probably typing in something wrong.

I'm using Ubuntu 14.04.
- Admin about 9 years
  
  Isn't apt get update only available to sudoers ? So if a user not a sudoer the user shouldn't be able to run it
- Admin about 9 years
  
  @Serg I suppose OP wants to restrict a user to only that command (no sudo priveleges).
kingmilo about 9 years

@andre would it not just be /usr/bin/apt-get as the update, upgrade, remove etc are merely flags for that command so if the user can run apt-get they are not restricted to the flags they can use :)
Admin almost 2 years

What does (root) mean here?