Easy "Add/Remove Porgrams" for non-sudoers with local PREFIX?

Kevin Fries kfries at cctus.com
Thu Jan 3 18:00:32 UTC 2008


On Thu, 2008-01-03 at 18:20 +0100, Carsten Agger wrote:
> Is there any reason for this - I mean, is the use case of a non-root
> user wishing to install software and still using "standard" utilities
> like "Add/Remove Programs" considered insignificant? Has there already
> been discussions abt this and in that case, do you remember he arguments
> for and against?
> 
> (Having utilities like 0install is great, but I was also thinking about
> the overall userfriendliness of Ubuntu, and making it easy for non-root
> users to install e.g. games from the universe repositories without
> bothering the admin and without having to know how to recompile from
> scratch seems like an essential use case for me.

What you are bucking against is Linux Philosophy more than a technical
problem.  Lets see if I can explain this without starting a flame war.

One of the concepts of Linux (and modern Macs) is the concept of a
separation of preferences versus system administration.  Microsoft does
not have that separation, and this is the cause of much of their
security "issues".  Linux avoids much of that by defining two areas of
configuration, system and user.

User configurations are items that only affect the logged in user
experience.  These items are things such as Colors, icons, window
decorations, email preferences, etc.  These are set on a user by user
basis, and are stored in ~/.program directories.  Configuring these
settings is done via the System->Preferences menu.

System configurations are items that effect users system wide.
Available network configurations, Printers, and software available
generally fall into this category.  The configurations for these items
generally exist in /etc folder, and are graphically configured via the
System->Administration menu.

Some items fall into a great abyss of uncertainty.  For example, WEP
information.  If I put up a wireless network at my office, and have a
laptop that several people use, should the key be configured globally?
However, being a laptop, authentication of multiple networks is
probable, and can not be administered globally.  Its a system wide
service (wireless networking), but needs to be configured on a user by
user basis.  These gray areas have never been Linux's strong suit.

When it comes to software available though, most of this comes from a
historical perspective of centrally administered machines.  In the old
days (20 computer years = 1 human year, so the old days are not all that
long ago, lol) most Unix based machines were shared among several users.
All software was centrally installed and configured.  If a user wanted,
they could always install a custom program into their own ~/ folder.
Some Unixes actually placed ~/bin in their execution path.  Its this
history that you are bucking right now.

Having this separation has actually helped the Nixes to avoid the virus
problems of the Windows environment.  Because end users can only install
software to their own directory, they can not infect the core of the OS
with a virus.  Because of the elevated privileges required, software can
not install automatically like it does in say ActiveX.  While the
practice of having admins do all installs was to keep some sanity in a
machine with multiple users, it is this security reason more than any
other as to why installs remain the realm of the admin.

Modern Nix based systems have a wonderful tool called SUDO that makes
getting around this issue extremely easy.  If you want someone to be
able to admin your box, add them to the admin group on any Ubuntu based
system.  Then they have sudo access to any root command.  If you want to
allow non-root users to be able to install software, that is easy also:

  - Create a group call swinstall
  - In your /etc/sudoers file add the following line:
      %swinstall ALL = /usr/bin/update-manager
  - Add any user you wish to have software install access to the
    swinstall group.

Hope this helps

-- 
Kevin Fries
Senior Linux Engineer
Computer and Communications Technology, Inc
A Division of Japan Communications Inc.




More information about the Ubuntu-devel-discuss mailing list