1

Is it possible to give a user the rights to install software, without giving him other sudo-rights?

Let's say I were to install Ubuntu on the student's computers at a school. I would like them to be able to install software from the software center, but not to do anything else to the system.

Nullet
  • 2,984
  • 1
  • 17
  • 15

1 Answers1

1

As per the link that @tom has pointed out above, it is certainly possible to do so, but this is a bad idea.

There are countless exploits that could be performed with access to apt + dpkg, here's one off of the top of my head:

  1. Create a simple deb package with a special install script that simply adds a particular user to the admin groups and/or changes the root password.

  2. Install the package using sudo dpkg -i or the Software Center.

  3. You now have root-level permissions to the system.

Another possibility would be users installing potentially hazardous software on the computer and/or removing important things, esp:

  • *libc* (Most programs use many, many c calls)
  • linux*(No kernel = nothing to boot)
  • grub* (No bootloader = no booting into kernel)
  • * My favorite - PURGE ALL INSTALLED PACKAGES

A better idea that might work out for you would be to have an install queue that users can recommend packages to, which a sysadmin checks every now and then and installs where necessary. Installing across multiple machines could be done in a variety of ways. Here's one easy way to install across selective groups of machines:

  1. Host additional packages on a repo on a server within your control within your network.

  2. Make sure that the repo is setup on all computers within the building.

  3. Setup a cronjob that runs every 15 or so minutes to install all upgrades (sudo apt-get update; sudo apt-get -y upgrade)

  4. On the repo-server, if you want a group of computers to have a given package, update the package for that group of computers so that the package you want installed is a dependency of the computer-group-package.

  5. If the package you want to install (and/or its dependencies) are not available from the main repos, add them to the repo-server.

Hope this helps.

haneefmubarak
  • 485
  • 3
  • 13
  • I was thinking in the lines of restricting the repos in some way, yes. Could I make a school repository that the students could access only through the Software Center? And only have access to the packages from the school repos? This would be fixed by removing all repos, right, except the school server? And the ubuntu security updates? Great answer btw, very helpful! – Nullet Sep 08 '13 at 22:25
  • Well, the thing is, `APT` relies on `dpkg`, meaning that even if you did limit access to external repos, a student could still create a package and install a file via `dpkg -i`. Removing access to `dpkg` means that Software center, which relies on `APT` can't work. If you really want students to be able to do whatever they like, some kind of Virtual Machine based system might work for you, where VMs are running on multiple backend servers, and simply have Thin Client/extended KVMs instead of computers. This gives each student their own environment that they can destroy w/o affecting others'. – haneefmubarak Sep 08 '13 at 22:38