Is it possible to keep a system up-to-date when it is used mainly by a non-sudo user?
I have given a laptop to a relative who is regaining their tech-savviness (but not there yet). To stop them doing something too dangerous, I did not allow their account sudo access. As I do not use the laptop, is there a way I can keep it up-to-date so it’s secure?
I tried DNF automatic but it seem to request my sudo-user password when it triggered.
You can add a rule to /etc/sudoers.d/update (for example) that allows one specific command to be run by the non-priv’ed user.
For example I could have this in /etc/sudoers.d/update
barry ALL=NOPASSWD: /usr/local/bin/update-system.sh
Change “barry” to be the username of your relatives account.
Put the stepts to update the system into /usr/local/bin/update-system.sh.
Edit: I suggest that you keep a log of what the script does and when it does it.
That way when your relative says its not working you can read the logs to see what happened.
One caution there.
When allowing a user to execute a command in the way you show it, the command must be entered on the command line exactly as it shows in that sudoers file. Thus the command you give as an example must be entered exactly as /usr/local/bin/update-system.sh and the user must know the exact command to use including the full path.
If you really want to update manually instead of using the update functionality built into the desktop, I would just run pkcon update, since unlike dnf it doesn’t require root access.
(I don’t know why dnf still requires root access to install updates. Seems pointless, since GNOME and PackageKit do not.)
Why not just use GNOME Software? It’s an appropriate use-case: non-tech-savvy user (yet), not in the wheel group, and GNOME Software doesn’t require admin priviledges to update the system.