[kebbelj]

I want to give users the ability to Add/Remove software on a specific machine, but I do not want to add these users to the Sudoers list. How would I enable an ordinary user to install or delete software using just his account, but not have any other root privileges?

(Automatix asks for an administrator password and the Add/Remove menu item that appears in accounts with sudoer access does not appear in non-sudoer accounts.)

[dandart]

Set the last option in your sudoers to just the install programs: dpkg, apt-get, etc. Then they will not be able to sudo to do anything else

[kebbelj]

Thanks, I will try your solution as soon as I am able to get to that machine.

A related question, actually the inverse of the original question--Is it possible to specify that a member of sudoers can NOT do certain things. For instance, be barred from shutting down parental controls (Dansguardian) but be able to do just about anthing else?

[Jonathan183]

Yes ... but it is better to grant permission rather than deny. See the security info section of

Code:

man sudoers

[kebbelj]

I was already working my way through the sudoers manual when this showed up and I jumped ahead to the Security section. I see your point. Thanks.

[kebbelj]

I added this to the last line of /etc/sudoers with visudo ...

Code:

kebbelj ALL=/usr/bin/dpkg, usr/bin/automatix.py, /usr/bin/X11/apt-get, /usr/bin/apt-get, /usr/bin/gnome-app-install, /usr/bin/synaptic

This seems to have given me access. However, when I try to run synaptic, I get ...

Code:

FAILED TO RUN SYNAPTIC
The underlying authorization mechanism (sudo) does not allow you to run this program. Contact the system administrator.

I would really love to have synaptic enabled. Any reason it's not working? (I checked to see if there was a synaptic in /usr/bin/X11, but there wasn't one there.)

[Jonathan183]

Is synaptic in /usr/sbin ... thats where it looks to be in Mint ?

[kebbelj]

It was /usr/sbin

Thanks to you and everyone else who supplied guidance.