Is it possible to keep a system up-to-date when it is used mainly by a non-sudo user?
I have given a laptop to a relative who is regaining their tech-savviness (but not there yet). To stop them doing something too dangerous, I did not allow their account sudo access. As I do not use the laptop, is there a way I can keep it up-to-date so it’s secure?
I tried DNF automatic but it seem to request my sudo-user password when it triggered.
You can add a rule to /etc/sudoers.d/update (for example) that allows one specific command to be run by the non-priv’ed user.
For example I could have this in /etc/sudoers.d/update
barry ALL=NOPASSWD: /usr/local/bin/update-system.sh
Change “barry” to be the username of your relatives account.
Put the stepts to update the system into /usr/local/bin/update-system.sh.
Edit: I suggest that you keep a log of what the script does and when it does it.
That way when your relative says its not working you can read the logs to see what happened.
One caution there.
When allowing a user to execute a command in the way you show it, the command must be entered on the command line exactly as it shows in that sudoers file. Thus the command you give as an example must be entered exactly as /usr/local/bin/update-system.sh and the user must know the exact command to use including the full path.
If you really want to update manually instead of using the update functionality built into the desktop, I would just run pkcon update, since unlike dnf it doesn’t require root access.
(I don’t know why dnf still requires root access to install updates. Seems pointless, since GNOME and PackageKit do not.)
Why not just use GNOME Software? It’s an appropriate use-case: non-tech-savvy user (yet), not in the wheel group, and GNOME Software doesn’t require admin priviledges to update the system.
Can’t speak for OP, but for me, it is because I do not think updates should require my interaction. I want it to cook in the background, and lmk if an error happened :)
Note: this is the behavior I am used to and like of macOS, and it is a setting in Windows. I cannot find a setting to automatically apply updates in GNOME Software (in Workstation at least).
Does not the ‘Updates’ tab in gnome software show a button to perform updates when they are available?
The packagekit-offline-update.service is normally enabled and in my experience usually shows a check box in the popup panel that shows up when doing a shutdown or restart if there are updates to be done. When updates are available that checkbox should already be checked so the simple act of a shutdown or restart should do the updates for you.
In the gnome settings → system – software update it also should open the gnome software app and allow for updates by all users