How can I set the Software Center to allow non-root users to install stuff from the Ubuntu repos without having to type in their password?
I'm fully aware of the security implications, and I am willing to take the risk. Fedora 12 shipped with something like this. (By modifying the PolicyKit configuration, I believe)
You can modify the PolicyKit permissions to allow the users to access the aptdaemon backend that Software Centre uses.
dpkg --listfiles aptdaemon shows that /usr/share/polkit-1/actions/org.debian.apt.policy is the file specifying the actions possible on the aptdaemon backend.
Looking in that file, the < action id=""> tags specify the possible actions. You'd probably want org.debian.apt.install-packages to allow users to install new packages from the archive, and org.debian.apt.update-cache to allow users to update the package lists.
See man pklocalauthority which documents how to set local permissions on PolicyKit actions. Putting the following into /etc/polkit-1/localauthority/50-local.d/10-allow-users-to-install.pkla will allow any user logged in to the local machine to install packages after typing their own password (even when they're not in the admin group) and to update the package cache without typing any password.
[Untrusted Install]
Action=org.debian.apt.install-or-remove-packages
ResultyAny=no
ResultInactive=no
ResultActive=auth_self
[Untrusted Update]
Action=org.debian.apt.update-cache
ResultAny=no
ResultInactive=no
ResultActive=yes
I don't think it's currently possible to do so via the GUI, but the following should work, albeit be a little kludgy. YMMV.
Add the following line to /etc/sudoers (use sudo visudo to edit the file):
%packageinstallers ALL = NOPASSWD: /usr/bin/software-center /usr/bin/apt-get
Then you just need to create and add the specific users to the packageinstallers group:
$ sudo addgroup packageinstallers
$ sudo adduser jdoe packageinstallers
Now jdoe can do the following:
$ sudo apt-get install <some-package>
and you can edit the desktop menu item for the Software Center so that it call on software-center prepending the command with gksudo.
PolicyKit may allow you to do so without sudo, but it's beyond my understanding at this point.
If you only need a generic permission to allow/disallow package installation, go for PolicyKit.
Unfortunately PolicyKit doesn't have fine control over the package to install. If you want to give your users permission to install only a restricted set of applications, you should use sudo and install something like softwarechannels...
I also looked for something like that, but since I didn't find anything, I coded this easy solution "softwarechannels", available here on GitHub
It is a very simple system to allow common (non-admin) users to install packages from restricted catalogs.
Just define 'channels' (groups of packages) in a simple text file and give your users permissions to launch softwarechannels.
They will only see packages in channels matching their unix groups.
RAOF's answer applies to Ubuntu only. Kubuntu uses QAptWorker as backend (observed for Natty and Oneiric). To allow for non-root installations, create /etc/polkit-1/localauthority/50-local.d/10-allow-non-root-install-packages.pkla containing:
[Update Software Sources]
Action=org.kubuntu.qaptworker.updateCache
ResultAny=no
ResultInactive=no
ResultActive=yes
[Install Software]
Action=org.kubuntu.qaptworker.commitChanges
ResultAny=no
ResultInactive=no
ResultActive=auth_self
I wanted to allow some non-admin users to install software while not granting sudo access directly. That was accomplished by inserting the next lines in both configuration groups:
Identity=unix-user:some-non-admin-user
If there is a group that must be granted permission, use unix-group instead of unix-user.
To make this working in my Ubuntu 18.04, I had to change the /etc/polkit-1/localauthority/50-local.d/10-allow-users-to-install.pkla file to:
[Untrusted Install]
#Action=org.debian.apt.install-or-remove-packages
Action=org.freedesktop.packagekit.package-*
ResultyAny=no
ResultInactive=no
ResultActive=auth_self
Identity=*
[Untrusted Update]
Action=org.debian.apt.update-cache
ResultAny=no
ResultInactive=no
ResultActive=yes
Identity=*
[Admin Install]
#Action=org.debian.apt.install-or-remove-packages
Action=org.freedesktop.packagekit.package-*
ResultyAny=no
ResultInactive=no
ResultActive=yes
Identity=unix-group:adm
Moreover with the last rule I enable everybody in the adm group to install/remove without any password.
