Is it possible to give a user the rights to install software, without giving him other sudo-rights?
Let's say I were to install Ubuntu on the student's computers at a school. I would like them to be able to install software from the software center, but not to do anything else to the system.
As per the link that @tom has pointed out above, it is certainly possible to do so, but this is a bad idea.
There are countless exploits that could be performed with access to apt + dpkg, here's one off of the top of my head:
Create a simple deb package with a special install script that simply adds a particular user to the admin groups and/or changes the root password.
Install the package using sudo dpkg -i or the Software Center.
You now have root-level permissions to the system.
Another possibility would be users installing potentially hazardous software on the computer and/or removing important things, esp:
*libc* (Most programs use many, many c calls)linux*(No kernel = nothing to boot)grub* (No bootloader = no booting into kernel)* My favorite - PURGE ALL INSTALLED PACKAGESA better idea that might work out for you would be to have an install queue that users can recommend packages to, which a sysadmin checks every now and then and installs where necessary. Installing across multiple machines could be done in a variety of ways. Here's one easy way to install across selective groups of machines:
Host additional packages on a repo on a server within your control within your network.
Make sure that the repo is setup on all computers within the building.
Setup a cronjob that runs every 15 or so minutes to install all upgrades (sudo apt-get update; sudo apt-get -y upgrade)
On the repo-server, if you want a group of computers to have a given package, update the package for that group of computers so that the package you want installed is a dependency of the computer-group-package.
If the package you want to install (and/or its dependencies) are not available from the main repos, add them to the repo-server.
Hope this helps.
