Allow non-admin users to install packages via apt or rpm?

You can specify the allowed commands with sudo, you don't have to allow unlimited access, e.g.

username ALL = NOPASSWD : /usr/bin/apt-get , /usr/bin/aptitude

This would allow username to run sudo apt-get and sudo aptitude without any password but would not allow any other commands.

You can also use packagekit combined with PolicyKit for some more finer level of control than sudo.

Allowing users to install/remove packages can be a risk. They can pretty easily render a system nonfunctional just by uninstalling necessary software like libc6, dpkg, rpm etc. Installing arbitrary software from the defined archives may allow attackers to install outdated or exploitable software and gain root access. The main question in my opinion is how much do you trust your employees?

Of course your admin team could also start using a configuration management system like puppet, chef or look into spacewalk to manage your system. This would allow them to configure and manage the system from a central system.


From the man pages:

aptdcon: allows to perform package management tasks, e.g. installing or removing software, using aptdaemon. There isn't any need to be root to run this program.

username ALL = NOPASSWD : /usr/bin/yum, /bin/rpm