Allow security updates without sudo password

[mixmastamyk]

The update mechanism requires sudo likely because apt requires it.

However that means everyday users need to have a sudo privileges just to get security updates. That shouldn't be the case. Everyone should have access to the latest security patches without undue work.

I recently found out about this daemon/command at askubuntu to run updates without sudo:

https://askubuntu.com/a/391992/116108

Software Updates uses aptdaemon to do all the work. 
You can do that from the command line using aptdcon:

Check for updates:

    aptdcon --refresh

Install updates:

    aptdcon --safe-upgrade

Would be great if the mint updater supported it.

[mtwebster]

Non-admin users shouldn't be able to update the system. It's still an update and updates can break things. Entering their password isn't undue work for admins.

That aptdcon command doesn't just install security updates - If you were going to do this you may as well enable automatic updates (Edit->Preferences->Automation).

[mixmastamyk]

I tend to disagree. Bear with me for a moment. Take for example a kid on a laptop.

Updates are not that a big deal:

• Debian and Ubuntu sources almost never update to newer versions of a package during a release. You basically get security patches and nothing else only with few exceptions. (see below)
• aptdcon doesn't update kernels etc.
• I haven't had a broken update in ... I don't know, years, maybe decade(s)---this distribution is not bleeding edge, it's LTS.
• Even when there was a problem it was not hard to fix, since the invention of the live CD.

Online security:

• Security patches come all the time, and several times a year they are critical.
• Today's environment is one where online security trumps most concerns.
• Firefox and Thunderbird are two of the packages that do get regularly updated, and they are exactly the ones you want updated ASAP.
• Unattended upgrades is not a bad workaround, but misses the point of having the user see and be a part of the update process, without needed sudo permissions. It also seems to be gated on "snapshot setup" which I don't know much about and feels excessive for the given risk. (see above)

Also, traditional ideas about the division between admins and users (and focus on stability above all else) are now kinda old-fashioned when every user has multiple cheap computers, and live/restore disks are ubiquitous.

So arguably, I think the risk from delayed online security updates is an order of magnitude higher than a bad update risk.

There really should be some option or group I could put the user into, but it doesn't seem to be a thing. This GUI could alleviate that and provide the option of using aptdcon. The fact that it exists shows someone at Debian thought the idea worthwhile.

Cheers,

[carlosmintfan]

Wow, aptdcon can do APT operations without sudo? Is that because a daemon always runs in the background as root and the application can use it? Can a use disable that manually? EDIT: Found out, /var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.pkla

[carlosmintfan]

Ah, but you need to enter a password of an admin if you aren't an admin, okay ;)