EndeavourOS, Desktop KDE Plasma
what is the easiest way to let my second, non-Admin-user, update the sytem wjhen I am temporaryly absent? (I love the littlle welcome window that picks the right text commands for me).
Is the only way to give him sudo-rights?
Or could he use the welcome window by using the root password?
You could give sudo rights to that user for only the
Isn’t that a bad idea?
Someone could then just
pacman -R <anything>
Would it not be better to write a wrapper script under a shared directory path that specifically runs
pacman -Syu (or offers any additional functionality deemed necessary), and enable it through sudoers nopasswd instead?
*Of course that script MUST be editable by root only!
Just to be clear, I’m not trying to be assertive, it is a genuine question as I’m trying to expand of my knowledge and understanding of linux systems lately, and this question captured my interest
It depends what you are trying to protect. If you are trying to lock down a shared machine at a school for example then yes.
However, if you are just trying to keep a family member from having access to root rights all the time and are OK with them being able to add and remove software then it is a viable solution.
I still wouldn’t trust my family to not run something stupid like
pacman -R linux grub
But I understand your point to more generally be “threat modeling”, which I completely agree with.
Thank you for taking the time to address my question
Then add something like
/usr/bin/pacman -Syu instead of
/usr/bin/pacman. That way they’ll be limited to only updating.
I was just thinking of these two commands from the welcome screen:
==> eos-update --yay
Naively, as a newbie, it would be easiest to give my second user the root password, and change it after I am back again. Giving sudo rights and withdrawing them iwould be more complicared.
As @dalto implied above, it all depends on your “threat model” and even more generally, in your specific use case.
If you are ok with giving absolute power to said user while you are away, then giving them root is fine, sure.
From a System Administration perspective, giving them root access would of course be unacceptable. From that perspective, and (again) depending on your exact needs, there are better ways to limit exactly what a user can/cannot do. You achieve such access by modifying the sudoers file by running
visudo as root.
You can find more information and examples of that on the relevant excerpt of the Arch Wiki:
Note that the use case is always important. An example would be, if you are just going to be away for say 2 weeks, and you only want the other user to “update” (no installs, no removals), then the best option might be to just leave everything as-is and just handle updates once you are back and can deal with it on your own.
Or you could just not update until you come back… How long do you plan to be absent?
If it is under 6 months, there is nothing to worry about. The computer will work normally even if you don’t update it.
When you come back, just post here before you update, saying that you haven’t updated in 6 months or so, in case some manual intervention is needed. Probably there will be nothing special, maybe you’ll need to update the keyring first, but that’s trivial.
IMO, this is not a great idea if the computer will be in use during in their absence. Using long outdated web browsers for examples carries a real risk. Especially if the user is unsophisticated enough that allowing them to have root access is a risk.
It seems to me one would have to be really unlucky for there to be a browser exploit during those 6 months… But yes, it is a concern I have not considered. Six months might be pushing it…
I think you are underestimating the amount of browser exploits that are discovered…
In that case, I will trust your judgement and withdraw my suggestion.
I would say, most importantly, do you trust your second, non-admin user to fix any potential problem that may arise due to a problematic update? If you trust them to handle potential problems, just give them sudo privileges. If you do not trust them to deal with potential problems, just wait until you return to update your system.
One could download the Firefox tar package and install it in the user’s home folder and have them use that browser, and it will auto update itself. Just another option to have them run an always up-to-date browser without having to update the entire system.
Thank you all! I think what I will do is handing over to my second user the reign over my account if I am away for a longer time.